The Engineer’s

Guide to
Overfill
Prevention

2015 EDITION
Introduction

Why invest?

Key elements

Regulatory requirements

Industry standards

Risk assessment

Overfill management system

Overfill prevention system

Proof-testing

Equipment selection

Appendix: Overfill prevention

system examples

References

ISBN 9789198277906
57599 >

9 789198 277906
 “The quality of this book makes it the primary educational tool for the
global process and bulk liquid storage industry to reduce the number of
tank overfills”

Phil Myers,

Co-author and API 2350 Edition 4 Committee Chairman

“If multiple layers of protection such as an independent high level alarm or automatic overfill
prevention system had been present, this massive release [Puerto Rico, 2009 ] most likely
would have been prevented.”

Vidisha Parasram,
Investigator at US Chemical Safety and Hazard Investigation Board (CSB)
 Legal disclaimer

This book is designed to provide information on overfill prevention only.

This information is provided with the knowledge that the publisher and author are offering generic advice
which may not be applicable in every situation. You should therefore ensure you seek advice from an
appropriate professional.

This book does not contain all information available on the subject. This book has not been created to be
specific to any individual’s or organizations’ situation or needs. Every effort has been made to make this
book as accurate as possible. However, there may be typographical and or content errors. This book contains
information that might be dated. While we work to keep the information up-to-date and correct, we make no
representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability,
suitability or availability with respect to the book or the information, products, services, or related graphics
contained in the book or report for any purpose. Any reliance you place on such information is therefore strictly
at your own risk. Therefore, this book should serve only as a general guide and not as the ultimate source of
subject information. In no event will we be liable for any loss or damage including without limitation, indirect
or consequential loss or damage, arising out of or in connection with the use of this information. You hereby
agree to be bound by this disclaimer or you may return this book.

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording or by any information storage and retrieval
system, without written permission from the author.
 Table of contents

1. Introduction 11

2. Why invest? 15

3. Key elements 29

4. Regulatory requirements 37

5. Industry standards 43

6. Risk assessment 51

7. Overfill management system 59

8. Overfill prevention system 63

9. Proof-testing 69

10. Equipment selection 81

11. Appendix: Overfill prevention system examples 85

12. References 105
Abbreviations
1oo1 One out of one
1oo2 One out of two
2oo3 Two out of three
AOPS Automatic overfill prevention system
BPCS Basic process control system
CH Critical high
ESD Emergency shutdown system
FIT Failures in time; number of failures that
can be expected in one billion (109)
device-hours of operation
FMEDA Failure modes, effects and diagnostic
analysis
HFT Hardware fault tolerance
in situ In place; in the context of overfill
prevention this implies that the
equipment (usually the level sensor)
does not need to be unmounted
IPL Independent protection layer
LAHH Level alarm high-high
LOC Levels of concern
MOPS Manual overfill prevention system
MTBF Mean time between failures
MTTF Mean time to fail
MTTR Mean time to repair
MWL Maximum working level
OPS Overfill prevention system
PFD Probability of failure on demand
PFDAVG Average probability of failure on
demand
RRF Risk reduction factor
SIF Safety instrumented function
SIL Safety integrity level
SIS Safety instrumented system
1 - Introduction

1 Introduction

Topic

1.1
1.2
1.3
1.4
Purpose
Background
Scope
Structure

Page

12
12
13
14

11
 1 - Introduction
1. Introduction
What is a tank overfill? In this book it is defined as
the point when the product inside a tank rises to
the critical high level. This is the highest level in the
tank that product can reach without detrimental
impact (e.g. product overflow or tank damage) (API
2350,2012).
1.1 Purpose
Does the risk of tank overfill worry you? Then this is
the right book for you!
This book provides an objective overview of
modern tank overfill prevention techniques based
on relevant standards (IEC 61511, API 2350) and
current Recognized and Generally Accepted Good
Engineering Practice (RAGAGEP).
Picture 1.1 and 1.2: The Buncefield tank overfill accident in 2005 resulted in costs of billions of dollars (this accident is further described in chapter 2.4).
12
Robust overfill prevention is not just about fulfilling
regulatory requirements and minimizing risk. This
book also describes how to increase profits by
increasing plant efficiency and reducing labour cost.
1.2 Background
Worrying about tank overfills is logical because
there are hundreds of tank spills of hazardous
materials every day (United States Environmental
Protection Agency, 2014). The stored materials may
be hazardous, flammable, explosive, and/or reactive
with each other. The spill may affect the drinking
water, or if exposed to an ignition source, there is
potential for an explosion, which may result in injury
to operations personnel, serious property damage,
environmental issues, and evacuation of nearby
communities. The cost is measured in thousands,
millions or even billions of dollars. Previous accidents
have proven that this can affect the company’s
survival.
Another reason to worry about tank overfills is that
for a long time overfills have been a leading cause
of serious incidents in the process and bulk liquid
industries. But overfills do not occur randomly. They
are predictable and thereby preventable. This book
uses current knowledge and expertise to provide a
holistic view of tank overfill prevention and describes
how modern equipment can be used to reach closer
to the goal of zero tank overfills.
 1 - Introduction

There is no doubt that safety expectations are the past may not conform to current requirements.
increasing. One reason is that legislators are This book describes the latest advancements in
becoming more aware due to accidents, and as a overfill prevention and how to implement future-
result, regulations and permitting are becoming proof solutions.
increasingly stringent with larger consequences. It
is difficult for the industry to maintain compliance
because solutions that were considered acceptable in

1.3 Scope
Although this book is intended for its defined scope, many of the principles are generic and may therefore be
used elsewhere.

Industry overview Process Industry Bulk Liquid Storage

Specific industries The primary target of this book is the following industries:
• Petroleum
• Chemical / Petrochemical
• Power
• Food and beverage
• Pharmaceutical
• Metals and mining
• Airports
Spill causes This book focuses on overfilling. There are a number of other possible causes for tank
spills such as leakage or tank rupture due to corrosion, incorrect couplings or simply
that tank openings have been left open during maintenance. The most prominent
problem is however tank overfills.
Tanks and stored The material presented in this book is applicable to most tank types and applications
products containing liquid hazardous substances (e.g. oil and chemicals), but due to the
generic approach it is impossible to cover every possible application and there are
exceptions such as LNG tanks (Liquid Natural Gas) which are not covered by this
book.
Measurement When filling a tank it is important to be aware of all relevant measurement variables
variables such as pressure, temperature and level. The scope of this book is however limited to
aspects relating to level measurement and associated systems.

13
 1 - Introduction

1.4 Structure
This guide is structured to provide impartial
information. The structure is based on the IEC 61511
safety life-cycle. The appendix contains vendor
specific information.

14
2 - Why invest?

2 Why invest?

Topic

2.1
2.2
2.3





Risks related to tank overfills
Probability
Consequence
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5

Life and health
Environmental pollution
Property damages
Corporate social responsibility
Public relations



Page

16
16
18
18
18
18
18
18
2.3.6 Industry damage 18
2.3.7 Legal consequences 18

2.4 Case examples 19

2.5 Additional risks associated with tanks 27
2.6 Financial returns of modern overfill
prevention 28
2.6.1 Efficiency increase 28
2.6.2 Reduced cost of risk 28

15
 2 - Why invest?

2. Why invest?
This chapter explains why investment in modern
overfill prevention is good business because it not
only reduces the statistically high risk of a tank
overfill but also because it has an immediate positive
financial impact.
Why invest in modern overfill prevention?
• Protect life & health
• Protect environment
• Protect plant assets
• Comply with regulations
• Improve public relations
• Corporate social responsibility
• Increase plant efficiency
• Minimize financial & legal risks
the fact that some countries are less focused on spill
prevention than others, the true number probably
exceeds 100,000 spills of hazardous products per
year globally. All of these spills do not necessarily
arise from a tank overfill, but the data provides an
interesting perspective.
The insurance company Marsh provides an
alternative approach focused only on tank overfills,
by collecting actual data from the bulk liquid storage
industry. According to their research on atmospheric
storage tanks , one overfill occurs statistically every
3,300 filling operations (Marsh and McLennan
Companies, 2001). This equals one overfill every 10
years for a group of 10 tanks where each tank is filled
3 times per month. Using the same assumptions for
a group of 100 tanks, the rate of overfill equals one
every year.
Historical industry data indicates:
One overfill every 3,300 fillings

2.1 Risks related to tank overfills

Risk consists of two components: Probability x
Consequence. This section exemplifies these two
components from a general perspective to establish
why there is considerable risk of tank overfill if
improper overfill prevention is used. Chapter 6 “Risk
assessment” discusses how an assessment of the risk
can be estimated for specific tanks and what tools to
use.

Risk = Probability x Consequence

2.2 Probability
The probability of a tank overfill can be estimated
using historical data. Although individuals and
companies may try to conceal spills, the United
States environmental agency has been able to report
around 14,000 oil spills annually in the United States
alone (United States Environmental Protection
Agency, 2014). Since the US currently consumes
approximately 20% of the world’s oil demand
(Central Intelligence Agency, 2015), this equates
to 70,000 oil spills globally. Considering there are
hazardous substances other than oil, and original
data is conservative due to spill concealment and

16
 2 - Why invest?

As an alternative to referencing historical data, the probability of failure of overfill prevention equipment can
be examined.

Basic tank example with mechanical level and independent switch: What is the
probability of a tank overfill? Once every 2400 fillings.
Assumptions Mechanical level switch
Float and tape level measurement
Tank Operations:
• 2 fillings per month

Mechanical float and tape level measurement:

• Randomly fails dangerously undetected once every 5
years (e.g. by getting stuck)
• Failure is detected during every transfer
• Repaired when the transfer has been completed

Mechanical level switch:

• Randomly fails dangerously undetected once every
10 years Figure 2.1: Generic tank example with a mechanical
level transmitter and an independent switch
• Proof-tested annually (12 months) and repaired if a
failure is detected

Calculation
During 10 years or 120 months of operation, 2 fillings each month will add up to 240 fillings in total.
Mechanical float and tape level measurement is stated to fail dangerously undetected once every 5
years. This means 2 failures during 240 fillings. Since repair is expected to occur directly upon transfer
completion, the overall probability of filling with a failed float and tape level measurement is 2/240 = 0.8%.
Similarly, the mechanical level switch is expected to fail dangerously undetected only once during the 240
fillings over 10 years. However, with an annual proof-testing, one must expect that each failure remains
unnoticed for an average of 6 months, which translates to 12 fillings assuming 2 fillings per month. Hence,
the probability of filling with a failed mechanical switch is 12/240 = 5%.
Altogether, the probability of filling a tank with float and tape level measurement AND the mechanical
switch is 0.8% x 5% = 0.04%. Alternatively, once every 1/0,04% = 2,400 fillings.

Interpreting the calculations

The result of these calculations can easily be understood by applying them to a tank group consisting of 10
tanks equipped with the above specified equipment. During 10 years, such a tank group would experience
2,400 fillings. Under the given assumptions, there is consequently a 100% probability that the mechanical
level switch and the mechanical float and tape will simultaneously be non-functional during a tank filling.
The operators will be unaware that the level sensors are non-functional and consequently there is a
probability that a tank overfill will occur.

Fact box 2.1: Basic tank example with mechanical level and independent switch: What is the probability of a tank overfill? Once every 2400 fillings.

17
 2 - Why invest?
2.3 Consequence
Potential consequences of a tank overfill are detailed
below, along with case examples in section 2.4.
2.3.1 Life and health
A work environment where there is a probability
of severe consequences such as personal injuries
or even fatalities must be avoided at all costs. The
slightest rumor about an unsafe work place or part of
a facility will affect reputation, even if an accident has
not occurred.
In cases where an accident occurs that involves
injuries or fatalities, in addition to personal suffering,
claims for the company responsible can be expected.
A case example of fatalities, injuries and evacuation
is presented in case 7 “Fatalities, injuries and
evacuation”.
2.3.2 Environmental pollution
Potential environmental pollution from a tank overfill
includes many aspects of the local surroundings.
Drinking water, air pollution, wildlife and the
ecosystems are just a few examples. The local
community’s trust is often closely connected to
environmental aspects.
When an accident occurs that results in
environmental pollution, considerable fines for the
responsible company may be expected. Additionally
the cost of removing or treating contaminated soil or
water (“clean-up”) can be considerable.
Case examples of spill clean-up and clean-water
contamination are presented in cases 1 “Spill clean
up” and 4 “Clean water contamination”.
2.3.3 Property damages
Tank overfills may result in both fires and explosions
which can cause considerable damage both on and
off-site.
A case example of property damages is presented in
case 2 “Property damages”.
2.3.4 Corporate social responsibility
The process industry operates on the foundation
of the public’s acceptance. Tank overfills may
considerably impact not only the facility and its
personnel, but also the surrounding communities, as
described in previous sections of this chapter.
18
For companies to be viable in the long run they need
to be perceived by the public as operating ethically
and correctly according to societal values. Fines,
additional regulations and inspections, operational
changes, ownership adjustments and ultimately
closure are all possible results that can occur if the
public’s trust is lost. Implementing modern overfill
prevention is one of many required actions to
fulfil the public’s expectation on corporate social
responsibility.
2.3.5 Public relations
The news of an accident spreads quickly. Written
statements, photos and videos are often made
available to the public. This can influence regulators
to tighten legislation and increase governmental
involvement through additional requirements on
safety and more frequent and thorough inspections.
2.3.6 Industry damage
An accident does not only affect the responsible
facility, but also the entire industry. The entire
industry is at stake when it comes to incidents.
There are numerous examples where a single tank
overfill has affected the entire industry, and a specific
case example is presented in case 5 “Corporate
fines”.
2.3.7 Legal consequences
Tank overfills frequently end up in court or with
settlements involving both criminal and civil
charges. Not only may the responsible company
be accused, but also its staff, and there are cases
where employees, executives and owners have been
imprisoned. Here are a few examples:
• Buncefield, 2005 accident (Case 2 “Property
damage”): five companies accused of causing
the accident faced criminal prosecution.
• Puerto Rico, 2009 (Case 3 “Bankruptcy”): A
joint lawsuit against the responsible company
by 1,000 defendants seeking $500 million in
damages. The company went bankrupt.
• Elk River, 2014 (Case 4 “Clean water
contamination”): The company went
bankrupt due to clean-up costs and lawsuits.
The company’s president was indicted on
charges of negligent discharge of a pollutant
among other alleged violations. Three former
owners were indicted on charges of negligent
discharge of a pollutant and negligent
 2 - Why invest?

discharge of refuse matter. However, these examples are included to show the
• Jaipur, 2009 (Case 7 “Fatalities, injuries and potential consequences of a tank overfill; the result is
evacuation”): 20 people were accused of one similar independently of how the spill occurred.
or more of the following charges: causing
death by negligence; public servant disobeying
law with intent to cause injury to any person;
punishment of criminal conspiracy; and
punishment for attempting to commit
offences punishable with imprisonment for life
or other imprisonment.

2.4 Case examples

This section provides information about the actual
consequences that can occur from a tank overfill
using specific case examples.
All the examples included relate to spills, but some
of them are not a direct result of a tank overfill.

Deflagration and vapor cloud explosions

If an organic, volatile and flammable compound’s air mixture exists in an open space - as might be caused
by a tank overfill of propane, natural gas, or gasoline, then an ignition source may result in an explosion.
Safety engineers distinguish the explosion by considering a few key characteristics of the explosion.

Deflagration
In a deflagration, the combustion process of the
burning wave front initiated at the ignition source
propagates through the flammable mixture at
subsonic speeds. The hazard is the flame or flash
fire that at high temperature has the potential
to burn equipment, people, and ignite other
flammable liquid sources, creating the potential for
fire escalation and other safety hazards.

Vapor cloud explosion

In a vapor cloud explosion or (VCE) the burning
flame front travels above the speed of sound and
a compression wave is set up. The high pressure
shock wave or blast wave by itself (even if there
were no heat) is sufficient to cause fatalities and to Picture 2.1: Refinery explosion
create major damage to facilities and structures.

Fact box 2.2: Deflagration and vapor cloud explosion

19
 2 - Why invest?

Spill clean-up
Western Massachusetts, United States, 2005

Sequence of events
Small facility with a single operator present while
a bulk liquid storage tank was filled through a
pipeline. The operator thought that he would have
time to go to the bar across the street for a quick
beer. Suddenly the bartender points out that diesel
is shooting out from a tank vent. The operator
runs back to the terminal to close a valve in order
to shut down the flow of incoming product. As a
result of this tank overfill, 23,000 gallons of diesel
Picture 2.2: Spill clean up
was released to the secondary containment which
consisted of soil bottom and steel sides. 14,000 gallons of the released product was recovered using
vacuum trucks and 9,000 gallons were lost to the subsurface which contaminated the groundwater. Light
non-aqueous phase liquid was found in 14 wells during 2 weeks. More than 300,000 gallons of liquids were
extracted and reinjected to recover the soil in the vicinity of the tank. Total cost exceeded $350,000.

Root causes
• Failure to adhere to written instructions
• Incorrect manual calculation of flow-rates
• Overfill prevention system existed but was not automatic

Lessons learned
• Although the personnel were qualified, there was a lack of safety culture that made personnel
deviate from instructions
• An automatic overfill prevention system could have prevented this accident

Source: Felten, 2015

Case 1: Spill clean up

20
 2 - Why invest?

Property damages
Buncefield fuel depot, United Kingdom, 2005

Sequence of events
A floating-roof tank overfilled at a tank terminal which
resulted in the release of large quantities of gasoline near
London. A vapor cloud formed which ignited and caused
a massive explosion and a fire that lasted five days.
The terminal was at the time the fifth largest in the
United Kingdom. The terminal supplied both Heathrow
and Gatwick airports with aviation fuel as well as
distribution of motor fuels and gasoline throughout the Picture 2.3: Property damage caused by the accident in
region. Buncefield

Root causes
The primary root cause was that the electromechanical servo level gauge failed intermittently and the
mechanical level switch used in the independent overfill prevention system was inoperable.
The mechanical level switch required a padlock to retain its check lever in a working position. However, the
switch supplier did not communicate this critical point to the installer and maintenance contractor or the
site operator. Because of this lack of understanding, the padlock was not fitted and as a consequence the
mechanical level switch was inoperable.
The electromechanical servo level gauge had stuck 14 times in the three months prior to this major failure.
The root-cause of the ‘sticking’ was never properly investigated or determined. The lack of a proper
‘lessons-learned’ procedure indicates that there was an obvious problem with the overfill management
system.

Consequences
• 40 People injured but no fatalities
• Major property damages including destruction of tanks and nearby office buildings
• Largest fire in Europe since World War II
• Disruption of nearby transportation routes and businesses
• Groundwater pollution
• Settlements exceeding £700 million (approximately $1 billion)
• Civil and criminal charges against the company and individual employees

Lessons learned
The accident received considerable attention from the public and the government. As a result stringent
regulations were created based on a holistic perspective and the functional safety standard IEC 61511. The
government now inspects that these types of facilities have implemented proper management systems,
risk assessments of all tanks and lessons learned procedures.
More specifically, the Buncefield Major Incident Investigation Board* issued a recommendation to install
an independent automatic overfill prevention system conforming to IEC 61511 on all bulk liquid storage
tanks
Source: Marsh, 2007

Case 2: Property damage

21
 2 - Why invest?

Bankruptcy
Puerto Rico, United States, 2009

Sequence of events
During the off-loading of gasoline from a tanker ship
to the tank farm, a five million gallon above ground
storage tank overfilled into a secondary containment
dike, resulting in the formation of a large vapor
cloud which ignited after reaching an ignition source
in the wastewater treatment area of the facility. In
addition to causing an extensive vapor cloud fire,
Picture 2.4: Puerto Rico accident in 2009
the blast created a pressure wave registering 2.9
on the Richter scale. For more than two days, dark clouds of particulates and smoke polluted the air, and
petroleum products leaked into the soil and navigable waterways in the surrounding area. The smoke
cloud was large enough to be visible by NASA’s Terra satellite. On the days after the explosion, more than
60 agents from both the FBI and the Bureau of Alcohol, Tobacco, Firearms and Explosives were dispatched
to the site.
Root causes
• Malfunctioning automatic tank gauge (float and tape)
• Lack of independent overfill prevention system
• Incorrect manual calculation of flow rate
• Inadequate overfill management system
• Lack of formal procedures for operations

Consequences
• Bankruptcy
• The blast and fire from multiple secondary explosions resulted in significant damage to the
petroleum storage tanks and other equipment on site and in hundreds of homes and businesses up
to 1.25 miles from the site
• Groundwater pollution
• Calls for additional regulation
• Involvement of the United States Department of Homeland Security (which adds complexity to the
industry)

Lessons learned
One of the aspects that the United States Chemical Safety and Hazard Investigation Board (CSB)
emphasizes is the importance of an independent and automatic overfill prevention system. Additionally,
this incident shows the importance of correctly measuring the actual flow-rate into the tank and an
automatic calculation of the estimated completion time of the transfer. This can be achieved by using a
level transmitter and an automatic calculation of the level rate combined with a calculation of the tank’s
volume
Source: U.S. Chemical Safety and Hazard Investigation Board (2015) and Puerto Rico Seismic Network
(2009)

Case 3: Bankruptcy

22
 2 - Why invest?

Clean water contamination

Elk River, United States, 2014

Sequence of events
Approximately 7,500 gallons of chemicals
used to process coal spilled into the Elk
River in West Virginia from an above ground
storage tank at a small tank depot. The
Elk River is a municipal water source that
serves approximately 300,000 people in the
surrounding area.
Picture 2.5: Water inspection
Root causes
• Corroded tank
• Malfunctioning secondary containment

Consequences
• Officials issued an advice to “do-not-use” the drinking water for 5 days
• The company went bankrupt and the facility was razed to the ground
• Criminal charges against 6 individuals associated to the company (owners, managers and
employees) who pleaded guilty

Lessons learned
Local regulators realized the risk associated with tank overfill and have implemented legislation (United
States Environmental Protection Agency’s “Spill Prevention, Control, and Countermeasure Plan”; SPCC
Plan) for above ground storage tanks. The legislation contains requirements for tank and secondary
containment inspections.

Case 4: Clean water contamination

23
 2 - Why invest?

Corporate fines
Monongahela River, United States, 1988

Sequence of events
A four-million gallon tank catastrophically
failed. The tank was used for the first time
after being reconstructed at a new site.
One million gallons of the diesel oil spilled
into a storm sewer that flowed into the
Monongahela River.

Consequences
• Federal Government issued a fine
Picture 2.6: Refinery next to river
of $2.25 million, the largest for a
petroleum company at the time
• Lawsuits: one for violating the Clean Water Act and another for violating the Federal Refuse Act
• $18 million in cleanup fees and civil lawsuits from those distressed by the experience.
• The potable water supplies for about 1 million people were disrupted. Water shortages were
common after the incident. Wildlife, fish and mussels were harmed or killed
• Over 1200 residents had to evacuate for approximately a week

Lessons learned
Tank overfills do not only concern the owner of the tank, but also the public. Governments may issue
considerable fines which, including other associated costs with a spill, may result in bankruptcy.
Incidents do not only affect the specific company but also the entire industry. For example this incident is
one of the reasons why the industry, through API, garnered a task group to publish the standard API 653
“Above Ground Storage Tanks Inspector Program”.

Case 5: Corporate fines

24
 2 - Why invest?

Condemnation of executives
Texas City refinery, United States, 2005

Sequence of events
The incident occurred during the startup of the raffinate
splitter section of the isomerization unit, when the raffinate
splitter tower was overfilled. The excess gas flowed into a
back-up unit, which then also overflowed and sent a geyser
of gasoline into the air. Flammable liquid was released,
vaporized, and ignited, resulting in an explosion and fire. Picture 2.7: Texas City refinery accident

Root causes
• Malfunctioning level transmitters and alarms
• The level transmitters measurement ranges were insufficient
• Lack of safety culture made the operators regularly deviate from written startup procedures

Consequences
• 15 Contract employees were killed
• A total of 180 workers at the refinery were injured, 66 seriously
• Considerable property damages on-site, and off-site windows were shattered in homes and
businesses located, up to three-quarters of a mile (1.2 km) away from the isomerization unit
• The company was charged with criminal violations of federal environmental laws, and has been
named in lawsuits by the victims’ families. In a quarterly report the company revealed that it had
reserved $700 millions for fatality and personal injury claims, although some cases had not yet been
settled
• Government recommended the company appoint an independent panel to investigate the safety
culture and management systems. The investigation was headed by former United states Secretary
of State James Baker III and the resulting report is known as the “Baker Panel report”
• Victims, media and government officials publicly condemned the company for saving money on
safety while making billions of dollars in profits

Lessons learned
Major accidents are not only costly, but also receive considerable public attention. The company’s
reputation will be damaged and even the acceptance of its existence may be questioned. This also affects
the company’s employees and the executives may personally be liable for the accidents and be publicly
condemned.
According to the US Chemical Safety and Hazard Investigation Board the key issues were:
• Safety culture
• Regulatory oversight
• Lack of process safety metrics
• Human factors
More specifically, the accident could probably have been avoided if level transmitters with a measurement
range covering the entire tank had been installed.
Source: Loren, 2005

Case 6: Condemnation of executives

25
 2 - Why invest?

Fatalities, injuries and evacuation

Jaipur, India, 2009

Sequence of events
During a routine transfer of kerosene between
two terminals, a huge leak occurred at a
“Hammer blind valve”. The liquid rapidly
generated vapors which made it impossible
for the shift operators to address the problem.
After about 15 minutes of the leak starting,
there was a massive explosion followed by a
huge fireball covering the entire installation.
The fire which followed the explosion soon Picture 2.8: Oil fire
spread to all other tanks and continued to rage
for 11 days.

Consequences
• 12 people lost their lives due to burns and asphyxia and more than 300 suffered injuries. Many of the
fatalities were company employees
• Half a million people were evacuated from the area
• The Ministry of Petroleum & Natural Gas immediately thereafter appointed a 5-member committee
to investigate the causes of the accident and submit a report within 60 days
• Accusations were raised against 20 employees
• The police arrested 9 senior company officials including its general manager on charges of criminal
negligence eight months after the accident

Lessons learned
Tank spills can result in very serious consequences including fatalities, injuries and evacuation of nearby
communities.
Source: Oil Industry Safety Directorate, 2010

Case 7: Fatalities , injuries and evacuation

26
 2 - Why invest?

2.5 Additional risks associated with

tanks
There are numerous risks associated with
tanks. Below are examples where the risk can
be considerably decreased by using better level
measurement.

Tank leakages
Leaks occur for a number of reasons, for example corrosion,
tank stress or improper welds. As a part of the ongoing safety
trend, the need for leak detection has increased, and many
countries mandate it by law for certain tank types (e.g. above
ground and underground storage tanks).
By using accurate level measurement, abnormal product
movements in the tank can be monitored and thereby used
to detect leaks. The major advantage with using accurate
level measurement for leak detection is that no additional
equipment is required.

Tank low level

Low level in the tank can be a considerable risk in certain applications due to, for example, the potential for
pumps running dry or heating coils or mixers being exposed.
The risk with low tank level can be minimized by using proper level measurements and alarms. An
advantage with continuous level transmitters in this specific application is that a single device can be used
for both high and low alarms.

Floating roof binding and buoyancy issues

Floating roofs are movable mechanical constructions that
require regular maintenance. Problems with rain water, drain
clogging or pontoon leakage, combined with wind and rain or
snow may cause the roof to “get stuck” or sink.
The latest technical solution for floating roof monitoring is to
use three wireless guided wave radar level transmitters mounted
on the floating roof itself. The transmitters measure the relative
level which can be used to calculate the angle of the roof and its
buoyancy.

Fact box 2.3: Examples of risks associated with tanks

27
 2 - Why invest?

2.6 Financial returns of modern 2.6.2.3 Hand-gauging and reading of local level sensors
overfill prevention By having a better understanding of what’s in the
This section describes how the usage of a modern tank, fewer manual measurements are required.
overfill prevention system can generate immediate
2.6.2.4 Maintenance
and long-term financial returns.
Modern overfill prevention systems require less
2.6.1 Increased efficiency maintenance.

2.6.1.1 Quicker transfers and better tank utilization

By having a better understanding of what’s in the

tank, operators will gain the trust to perform product
movements faster and operate the process more
efficiently. Additionally, with overfill prevention
systems that more accurately measure the level, and
have quicker response times, the set-points can be
adjusted to increase the tank utilization.
2.6.1.2 Less manpower

Verification of overfill prevention systems often

occupies considerable resources. Modern overfill
prevention systems require less testing and offer
quicker testing procedures.
2.6.1.3 Management system

Modern overfill prevention requires the

establishment of an appropriate overfill prevention
management (OMS) system. Written accurate
procedures that correspond with how the system
works in the field; qualified personnel; management
of change and lessons learned systems are a few of
the components that will result in a more efficient
facility.
2.6.1.4 Reduced down-time

Modern overfill prevention systems offer increased

availability and reduce the need for hand-gauging
or visual inspection of local level sensors, thereby
minimizing down-time.

2.6.2 Reduced cost of risk

2.6.2.1 Insurance costs

By implementing modern overfill prevention the

insurance premium may be reduced if an external
insurance company is used.
2.6.2.2 Emergency Response Costs

Modern overfill prevention results in fewer tank

overfills, thereby lowering the need for costly
emergency responses.

28
3 - Key elements

3 Key Elements

Topic

3.1

3.2

3.3
3.4
3.5
3.6
The traditional approach to overfill
prevention
The modern approach to overfill
prevention
Requirements
Risk assessment
Process design

Overfill management system

30
30
Page

30
31
31
31
3.7 Protection layers 32
3.7.1 Basic process control system 33
3.7.2 Safety layer 33
3.7.3 Passive protection and emergency
response layer 35

3.8 Commissioning and subsequent

verification 35
3.8.1 Site acceptance testing 35
3.8.2 Proof-testing 36

29
 3 - Key elements
3. Key elements
3.1 The traditional approach to 3.3 Requirements
overfill prevention
Overfill prevention has traditionally been
synonymous with equipment denoted “overfill
prevention system” (OPS). This equipment has often
been put in place to fulfil incomplete prescriptive
regulatory requirements and has been treated
accordingly. Capital expenditure has been minimized
and maintenance and verification have not been
prioritized. Operational key performance indicators
(KPIs) have been prioritized over safety. As a result,
written safety procedures have often been lacking
and operations departments have not adhered to
written procedures.
3.2 The modern approach to overfill standards and Recognized and Generally
prevention
There have been significant advancements in the
understanding of tank overfill root-causes in recent
years due to the increased availability of information.
Often the information has originated from public
investigations.
Modern overfill prevention is based on a holistic
perspective with an understanding that a multitude
of elements contribute to minimizing the risk of a
tank overfill, and not just the equipment denoted as
the ‘overfill prevention system’. An overview of these
RAGAGEP
Corporate
standards
Regulations
Figure 3.1: The origin, and priority, of internal and external overfill prevention requirements
30
elements is described below and in greater detail in
subsequent chapters.
Usually several different internal and external
requirements apply to tanks and overfill prevention:
• The foundation is regulations, which may
origin from e.g. state, federal, national or
union legislations. These are further described
in chapter 4 “Regulatory requirements”.
• Additionally many companies have internal
codes and standards. These are not further
described in this book due to their individual
nature. However, it is worth mentioning that
these internal documents should be based
on, and in compliance with, the applicable
external requirements.
• On top of regulations there are industry
Accepted Good Engineering Practices
(RAGAGEP). These are often created and
documented by industry associations. In some
instances, there exist documented application
specific and/or country specific requirements.
This book addresses the globally accepted
standards IEC 61511 and API 2350 which are
discussed in chapter 5 “Industry standards”.
The structure and priority of these requirements,
which are sometimes conflicting, are illustrated in
figure 3.1.
Industry
standards
 3 - Key elements
3.4 Risk Assessment
Tank overfills are predictable. It is therefore crucial
to create an understanding of the specific tank’s risk
for overfill. Probability factors are determined by,
for example, evaluating how the tank is operated
and what the effectiveness of the various protection
layers are (e.g. the overfill prevention system). Also
different consequence factors such as fatalities
and asset damage are evaluated. The assessed
risk is compared with the facility’s tolerable risk to
determine if there is a an unacceptable risk and what
size it is. This process is depicted in figure 3.2.
Risk
Tank fillings
Operator
Figure 3.2: Basic concept of evaluating the assessed risk compared to the tolerable risk
Modern overfill prevention uses this risk
(performance) based approach as opposed to the
traditional prescriptive approach. This ensures
that the safeguards are neither over nor under
engineered.
An action to reduce the risk to a tolerable level must
be taken if the risk assessment determines that the
risk is unacceptable. Examples of actions that can be
taken to reduce the risk:
• Inherent process design change
• Changes in the Overfill Management System
(e.g. operational procedures)
• Implementing additional protection layers or
modifying the existing ones
Risk Assessment is described further in chapter 6
“Risk Assessment”.
31
3.5 Process Design
One of the elements that needs to be taken into
consideration to prevent overfills is the design of
the process or bulk liquid facility. For example, does
the tank have the appropriate size to accommodate
abnormal process behavior? Is the incoming and
outgoing pipe sizing appropriate? Is there a need for
connection to a relief tank?
Although the process design is a critical element to
prevent tank overfills, it is not further described in
this book due to its individual and varying nature.
Protection layers
BPCS Automatic Alarm
Overfill Prevention System (OPS)
Unacceptable risk
Tolerable risk
3.6 Overfill Management System
Traditionally, tank overfills have been attributed
to malfunctioning equipment. Although this is
often a contributing factor, the actual root-cause is
often more complex and involves human behavior.
Therefore a critical part of modern overfill prevention
is to establish an adequate Overfill Management
System (OMS) that corresponds with how it works in
the field.
An OMS is the framework of processes and
procedures used to ensure that the organization
fulfills all tasks required to achieve the objective of
tank overfill prevention. This includes components
such as competent personnel, written procedures,
lessons learned systems and management of change
procedures. Although a large task at first, the
creation of an adequate OMS is not just a necessity
to prevent tank overfills, it will also result in a more
efficient facility. OMS is described in chapter 7
“Overfill Management System”.
 3 - Key elements

3.7 Protection layers
Generally, a multitude of independent protection
layers (IPLs) are used to minimize the risk of tank
overfills as depicted in figure 3.3, according to the
principle “do not put all your eggs in one basket”. The
commonly used IPLs for tank overfill prevention are
depicted in figure 3.4 below.
To reduce risk, an existing IPL can be modified, or
alternatively an additional IPL can be added. The
selection process often involves a cost benefit
analysis. Examples of additional parameters (besides
internal and external requirements) that should be
taken into consideration are:
• All IPLs are not alike. The Basic Process Control
System (BPCS) and Safety layer can be used to
prevent the accident and thereby reduce the
probability, whereas the Passive protection
and Emergency response layers mitigate
the accident and thereby minimize the
consequences.
• According to IEC 61511-1 Edition 1: “The risk
reduction factor for a BPCS (which does not
conform to IEC 61511 or IEC 61508) used as
a protection layer shall be below 10”, this will
be discussed further in chapter 5 “Industry
standards”.

Common IPLs for tank overfill prevention

Emergency response layer Fire brigade

Mitigation

Passive protection layer Secondary containment (e.g dike)

Emergency Safety layer Overfill prevention system

shutdown

Prevention

Operator
shutdown BPCS DCS or tank inventory software

Figure 3.3: Commonly used independent protection layers (IPLs) to minimize the risk of tank overfills

32
 3 - Key elements

Manual Overfill Prevention System (MOPS) Basic Process Control System (BPCS)

LT LT

LC

Secondary
containment

Product inlet
Fire brigade
Manual valve
Pump
Figure 3.4: Generic tank example with the commonly used IPLs for tank overfill prevention and mitigation depicted.

3.7.1 Basic process control system

One of the most overlooked elements of overfill
prevention is probably the Basic Process Control
System (BPCS). This is the primary IPL that
continuously prevents tank overfills from occurring,
and when functioning correctly the other IPLs will
not be activated as depicted in figure 3.5. Therefore
it may be argued that this is the most important IPL
and as a consequence it needs to receive appropriate
Picture 3.1: Unreliable mechanical level transmitter (servo type)
attention. For example a BPCS relying on an
unreliable mechanical level transmitter, as depicted 3.7.2 Safety layer
in picture 3.1, is a major safety concern.
In tank overfill prevention applications, the safety
layer is typically denoted overfill prevention system
(OPS). There are two basic types: manual overfill
prevention system (MOPS) and automatic overfill
prevention system (AOPS).

Emergency response layer LT

Passive protection layer

Figure 3.6: Manual overfill prevention systems (MOPSs) usually consist of
Emergency a level transmitter (LT) connected to an audiovisual alarm that notifies an
Safety layer operator to take the appropriate action, e.g. closing a valve.
Shut Down

Process
Shutdown Basic process control layer
LT SIS
Time In Use

Value
Figure 3.5: The BPCS layer is in use continuously and is the primary tool to
prevent a tank overfill. The other IPLs are only activated upon failure of the
subsequent IPL
Figure 3.7: Automatic overfill prevention systems (AOPSs) usually consist of
a level transmitter (LT), logic and actuator that automatically closes a valve
to prevent overfills from occurring. No human intervention is required which
usually increases the reliability and shortens the response time.

33
 3 - Key elements

Outlook: Industry trends Outlook: Industry trends

Manual replaced with automatic Adherence to IEC 61511
Humans are inherently unreliable. The risk reduction factor Safety Instrumented Systems (SIS)
of manual safety layers is therefore limited, and typically has have existed for decades but it was
a cap of 10 (this is the SIL 0 limit according to IEC 61511). with the introduction of IEC 61511
Many of the overfill prevention systems installed today are Edition 1 that a globally recognized
manual (MOPS), but there is a strong trend towards automatic standard emerged. This standard
overfill prevention systems (AOPS). Although an AOPS adds is being rapidly adopted by the
complexity over MOPS, there are several important benefits process and bulk liquid industries. It
driving this transition: is generally accepted by legislators
and in some countries even virtually
• Higher risk reduction factors can be achieved mandated by law. The scope of
• Reduced response time IEC 61511 is the safety layer and
• Extent of safety loop can increase (e.g. also pumps can consequently it applies to the overfill
be shut down) prevention system. The trend in
the industry is to design automatic
overfill prevention systems according
to IEC 61511.

Figure 3.8: The trend is to replace manual activities with

automatic control

Outlook box 3.1: Manual replaced with Automatic Outlook box 3.2: Adherence to IEC 61511

Outlook: Industry trends

Continuous level measurement for the safety layer
Traditionally the BPCS layer is equipped with a continuous level transmitter and the safety layer with
a point level transmitter (“level switch”). The trend is to also equip the overfill prevention system with
continuous level transmitters, and often the same type as the BPCS layer. Why settle for anything but the
best for the safety layer?

Picture 3.2 and 3.3: Two continuous measurements of the same type are used as the level sensors in the BPCS and
the safety layer (left: radar level gauges, right: guided wave radar level transmitters)

Outlook box 3.3: Continuous level measurement for the safety layer

34

A critical aspect of overfill prevention is to correctly
define the “levels of concern” (LOC) which include
Critical High (CH), Level Alarm High High (LAHH or
simply HiHi) and Maximum Working Level (MWL) as
depicted in figure 3.9.
Figure 3.9: The Levels Of Concern (LOC) for tank overfill prevention
According to API 2350 Edition 4:
“Note specifically that an alarm requires immediate
action, either manually (e.g. field operator closes
a valve) or automatically through predetermined
logic. In some instances a level alert high (LAH) or
other alert may be used for optional operational
notifications”.
Overfill prevention system is further described in
chapter 8 “Overfill prevention systems”.
Level of concern (LOC)
Critical High Level
Level Alarm High-High
Maximum Working Level
Table 3.1: Levels of concern
3 - Key elements
3.7.3 Passive protection and emergency
response layers
In the case of tank overfill protection, the passive
protection layer usually consists of a secondary
containment (e.g. dikes or concrete walls) and the
emergency response layer consists of a fire brigade.
These IPLs are merely used for mitigation of tank
overfills, and they are consequently not included
within the scope of this book.
CH
3.8 Commissioning and subsequent
verification
LAHH
MWL
An essential element of modern tank overfill
prevention is to ensure that the probability of
systematic (human) errors and random hardware
failures are minimized for the safety layer. The key
methods to achieve this are Site Acceptance Testing
(SAT) and Proof-testing.
3.8.1 Site acceptance testing (SAT)
SAT is performed to verify that the equipment has
been commissioned correctly. The purpose is to
detect systematic (human) failures. Best practice is
that the SAT is performed by one or more people who
were not involved in the commissioning procedure.
Abbreviation Definition
CH The highest level in the tank that
product can reach without detrimental
impacts (i.e. product overflow or tank
damage)
LAHH An alarm generated when the product
level reaches the high-high tank level
MWL An operational level that is the highest
product level to which the tank may
routinely be filled during normal
operations
35
 3 - Key elements

3.8.2 Proof-testing
The purpose of proof-testing is to verify that
commissioned equipment already in operation
functions correctly. It is a useful tool to reduce the
safety layer’s probability of failure on demand for
infrequently used safety systems. Proof-testing is
further described in chapter 9 “Proof-testing”.

Outlook: Industry trends

Site acceptance testing and proof-testing
The industry’s focus on SAT and Proof-testing has
considerably increased in recent times, mainly
due to:
• Ever-increasing needs for safety and
efficiency improvements
• The introduction of functional safety
standard IEC 61511 which emphasizes
the safety life-cycle approach along with
providing a theoretical framework for
proof-testing
• A number of high profile accidents where
lack of proper proof-testing has been
suspected to be one of the root-causes
(e.g. the Buncefield accident*)
The trend in the industry is to include SAT and
proof-testing procedures as a key selection
criteria when purchasing equipment, since
the cost to execute these procedures once
the equipment has been purchased can be
considerable, depending on the equipment
selected.

Picture 3.4: Proof-testing of a level transmitter

Outlook box 3.4: Site acceptance testing and proof-testing

* Read more in chapter 2.4.

36
4 - Regulatory requirements

4 Regulatory requirements

Topic

4.1

4.1.1


Different types of regulations

4.1.2
4.1.3
4.1.4

4.2
Prescriptive regulation
Performance based regulation
Page

No regulation directly applicable to

tank overfills

Performance based with extensions

regulation

Implications
40
39

39
40
40

40

37
 4 - Regulatory requirements

4. Regulatory • Handling of hazardous substances

• Environmental protection
requirements • Explosive products handling
• Water pollution
Regulations are binding legislative acts which
each facility must conform to. Non-conformance • Air emissions
can result in both civil and criminal prosecution, • Fire protection
especially in the event of an accident. • Emergency response plan
Unfortunately, and independently of country, it is not • National security
as simple as a single regulation for overfill prevention. • Protection of critical infrastructure
Instead, multiple regulations aimed at different
purposes may have an impact on the requirements • Worker’s rights
for prevention and mitigation of tank overfills. These • Civil protection
are examples of common fields of regulations that An example of external regulations relating to tank
usually have an impact on the requirements for tank overfills for above storage tank terminals can be seen
overfill prevention: in figure 4.1 below.

Flammable/
OSHA combustible
liquids
Spill prevention
Clean water act

Facility response
plan
Regulatory EPA
standards
General duty
clause
Clean air act
Risk management
program (RMP)
USCG Federal

NFPA consensus NFFA 30

standards
Above ground Voluntary
storage tank consensus
terminals standards
International
ICC
fire code

ILTA

Industry groups API API 2350

IPAA

Figure 4.1: Example mapping conducted by the United States Chemical Safety Board in 2015 of external requirements relating to tank overfills for above
ground storage tank terminals in the United States

38
 4 - Regulatory requirements

4.1 Different types of regulations 4.1.1 No regulation directly applicable to tank

overfills
Regulation varies by union, country, state or even
municipality. Currently the different regulatory In some countries there exists no applicable
frameworks that apply to the prevention and regulation for tank overfills. Alternatively, the
mitigation of tank overfills can be characterized in the regulation may be incomplete for certain tank types
following way: or stored products (e.g. if the tank is on wheels,
or the regulators depend entirely on local industry
• N
o regulation directly applicable to tank associations).
overfill
It is important not to be mistaken if this is the case;
• Prescriptive regulation
usually if an accident occurs, the matter ends up in
• Performance based regulation a court which probes the defendants against locally
• Performance based with extensions and internationally recognized standards (e.g. API
regulations 2350 or IEC 61511) and RAGAGEP. Consequently, in
These basic types of regulations are further described the advent of an accident there are also expectations
in subsequent chapters. Often a combination applies and indirect requirements under this type of
to a single tank. regulation.

Regulation is an evolutionary process that is highly

affected by accidents (e.g. the Seveso accident in
Italy, the Bhopal accident in India and the Texas city
in the US). Based on the trend in the industrialized
countries which is depicted in figure 4.2, the world
is heading towards a “Performance based with
extensions” approach. 2000 - 2015
1930 - 1970 1970 - 2000
Process safety in
All about regulations Learning from accident
the new millenium

Performance based
regulations with
extensions

Performance
based regulation

Prescriptive regulation

No regulation

Time
1930 1970 2000
Figure 4.2: Developments of safety regulations in the industrialized world

39
 4 - Regulatory requirements

4.1.2 Prescriptive regulation 4.1.4 Performance based with extensions

Prescriptive regulation such as “the tank shall have
an independent level switch” puts requirements on
the specific design. This type of regulation emerged
as a response to accidents but has proven to be
ineffective because “there is no great incentive for
companies to go over and beyond the prescriptive
compliance requirements. Instead of treating
regulations as the minimum acceptable standard
and continuing the search for best industry practices,
companies stop their efforts as soon as prescriptive
compliance is achieved” (Sreenevasan, 2015). The
traditional approach to overfill prevention, described
in chapter 3 “Key Elements”, is based on this type of
thinking.
regulation
In recent years, the performance based approach
has been augmented in many countries with a
holistic perspective that also takes the workforce (or
general stakeholders) into account, in addition to the
regulator and the responsible organization. Other
components of this augmented approach are:
• Process Safety Management (see Overfill
management system, chapter 7)
• Increased transparency by presenting
information to the public
• Sharing lessons learned across similar facilities
• Public investigation reports

4.1.3 Performance based regulation • Public databases of accidents and incidents

Performance based regulation is based on the actual
risk that exists. The organization responsible for
the risk is empowered to address it the way they
find appropriate and the government reviews and
approves their justification and follows up with
inspections.
• Competency requirements
• Standardized inspections
Although this approach increases the initial work-
load compared to the performance based approach,
it also eventually results in a more efficient and safe
facility.

Benefits of this approach include:

4.2 Implications
• R
educes the amount of regulation required
and allows government officials to act with Regulations are constantly changing and generally
increased flexibility become stricter over time. This is partially because
accidents keep occurring, but also due to the fact
• P
revents over or under engineering of
that the societal acceptance for involuntary risk is
safeguards
decreasing.
• “ Allowing for innovation and new technology,
as well as creativity and advancement” (Goble, The evolution of regulations makes it difficult for the
2013) industry to maintain compliance because solutions
that were acceptable in the past may not conform
The main disadvantage with performance based
to current requirements. The most efficient way to
regulation is that it can be more cumbersome to
approach this problem is by the usage of future-
implement. For example it requires that:
proof solutions that also take anticipated future
• The responsible organization is competent safety requirements into account. The remainder of
• A
risk assessment is conducted (which may or this book describes the modern approach to overfill
may not be accurate) prevention which is aimed at creating future-proof
solutions.
• Determination of tolerable risk criteria
Further information about performing risk
assessment for a specific tank can be found in chapter
6.
It is not uncommon for regulations to be both
prescriptive and performance based. One example is
legislators who, due to previous accidents, stipulate
that consequence or probability factors be included
in the risk assessment.

40
 4 - Regulatory requirements

Regulatory evolution in the UK

The Secretary of State for Employment in the United Kingdom set up a committee in May 1970 to review
existing safety and health regulations. The committee was chaired by Lord Robens who identified a
problem with the existing body of regulations arising from their sheer volume and proliferation, in addition
to their ineffectiveness.
The Robens Report stated that the safety laws were “intrinsically unsatisfactory, badly structured
and written in a style that rendered them largely unintelligible even to those who were supposed to
administer them”. His report, issued in June 1972, recognized a need for more self-regulation and that the
industry should be encouraged to develop its own standards and criteria for improving health and safety
performance. As a result of this report, the Health and Safety Executive (HSE) branch of the government
was formed and the “Health and Safety at Work” act was issued in 1974.

The HSE embodies the following principles:

1. The organizations that create risks should control them
2. The benefits as well as the costs of regulations must be considered

Inspired by the developments in the UK, the European Union (EU) has taken the lead in regulations for
process safety through the Seveso directive.

Case 4.1: Regulatory evolution in the UK

41
4 - Regulatory requirements

42
5 - Industry standards

5 Industry standards

Topic

5.1




IEC 61511
5.1.1
5.1.2
5.1.3

5.2
Basic concepts
IEC 61508 Certification
Page

IEC 61511 applied to modern overfill

prevention

API 2350
45
45
48

49

50

43
 5 - Industry standards

5. Industry applicable for individual facilities, but the globally

standards
The need for industry standards and RAGAGEP arose
with the industrial revolution in the mid 1700s.
Conformance to the most recent globally recognized
industry standards is a critical element of modern
overfill prevention.
There are numerous national and tank specific
standards available for overfill prevention (e.g. NFPA
30, PGS 29, OISD Guideline 152) that may also be
accepted standards, which are covered in this book,
are IEC 61511 and API 2350.
IEC 61511 and API 2350 have different scopes
and purposes as depicted in figure 5.1. API 2350
is an application specific standard specifically for
bulk liquid storage, whereas IEC 61511 is targeted
towards the design of electronic safeguards in both
the process and bulk liquid storage industries. The
two standards do not compete; the usage of IEC
61511 for the design of an overfill prevention system
for usage on bulk liquid storage tanks is an excellent
way to comply with parts of API 2350.

Emergency response layer

Passive protection layer

IEC 61511 Safety layer

API 2350
BPCS

Figure 5.1: Industry standards IEC 61511 and API 2350 - comparison of intended scopes

44
 5 - Industry standards

5.1 IEC 61511: Functional safety – 5.1.1.2 Safety Integrity Level (SIL)
Safety instrumented systems for The reliability of a SIF is quantified in “Safety Integrity
the process industry sector Level” (SIL) 0 – 4, which each corresponds to an
IEC 61511 is intended for safeguards used in interval of its capability to reduce risk, as listed in
the process and bulk liquid industries based on table 5.1.
completely, or partially, electrical/electronic/
programmable components. Safety Integrity Risk Reduction Factor (RRF) 
Level (SIL)
SIL 4 >10,000 to ≥ 100,000
IEC 61511
SIL 3 >1,000 to ≥ 10,000
Use this standard for: Automatic Overfill
Prevention Systems in SIL 2 >100 to ≥ 1,000

;; Process Industry SIL 1 >10 to ≥ 100

;; Bulk Liquid Storage Industry SIL 0 >0 to ≥ 10

Table 5.1: Overview Safety Integrity Levels (SILs) and corresponding risk
reduction factors (RRFs)

IEC 61511 is recognized as the global functional

safety standard and it has been adopted by the
European standards body, CENELEC. This means that
the standard is published as a national standard in
each of the member states of the European Union. In
the United States it is sometimes recognized as ANSI/
ISA 84.00.01-2004 or simply “S84”. This standard
mirrors IEC 61511 in content with the exception that
it contains a “grandfather” clause that allows the
use of existing equipment that has been designed in
accordance with older codes, standards, or practices.
That is, assuming it has been operated in a safe
manner as well as properly maintained, inspected,
and tested.
In practice, SIL 4 is rarely used in the process and
bulk liquid industries. Applications that require this
amount of risk reduction are generally considered
unacceptable and the entire process is redesigned
(see “Process design” in chapter 3 “Key elements”).
IEC 61511 limits the risk reduction factor (RRF) of
protection layers that are not designed according to
IEC 61511 to a maximum of 10 (SIL 0), which for tank
overfill prevention would typically refer to manual
overfill prevention system (MOPS). This is actually
well documented by historical data; humans have
been proven to be inherently unreliable.

5.1.1 Basic concepts In consequence, for any requirement of RRFs above

10 (>SIL 0), an appropriately designed automatic
5.1.1.1 Safety Instrumented Function (SIF) overfill prevention system (AOPS) is a necessity.

A single electrical/electronic/programmable
safeguard is denoted “Safety Instrumented Function”
(SIF) and consists of a sensor, logic-solver and
actuator as depicted in figure 5.2.
In the context of overfill prevention, this corresponds
to an automatic overfill prevention system (AOPS)
consisting of one or multiple level sensors, a logic-
solver and one or multiple actuators controlling a
corresponding valve.

Sensor Logic Actuator

Figure 5.2: Principal components of a Safety Instrumented Function (SIF)

45
 5 - Industry standards

5.1.1.3 Safety Instrumented System (SIS)

A “Safety Instrumented System” (SIS) consists of

multiple SIFs connected to a single logic-solver as
depicted in figure 5.3. Although not theoretically
correct, the words SIS and SIF are often used
interchangeably.

SIF SIS

SIF
Logic
solver

Sensor
Actuator
Figure 5.3: Principal overview safety instrumented function (SIF) an safety instrumented system (SIS)

46
 5 - Industry standards

5.1.1.4 Safety life-cycle engineering, installation, commissioning

and validation (site acceptance test).
The foundation of IEC 61511 is the safety life-cycle
which is depicted in figure 5.4. The safety life-cycle is 3. Operation: operation and maintenance,
based on a holistic perspective throughout the life- proof-testing, management of
time of a SIS (“from the cradle to the grave”). change and decommissioning
The safety life-cycle can be segmented into the These 3 steps are accompanied by the following
following steps: phases that shall be conducted throughout the life-
time of the safety life-cycle:
1. Analysis: risk assessment and allocation of
safety functions • Management and planning
2. Realization: design and implementation • Verification
of the SIS – specification, design and

Manage- Safety Hazard and risk Verification

ment of life-cycle assessment
functional structure
safety and and
functional planning
safety
assessment
and auditing Allocation of safety functions
to protection layers

Safety requirement
specifications for the safety
instrumented system

Design and engineering of

safety instrumented system

Installation, commissioning
and validation

Operation and maintenance

Modification

Decommissioning

Figure 5.4: IEC 61511-1 safety life-cycle

47
 5 - Industry standards

5.1.1.5 Equipment selection maintain the product’s quality. It also places rigorous
requirements on the documentation provided with
IEC 61511 prescribes two different options for the the product.
selection of SIS equipment:
Often, the conformance to IEC 61508 is audited
• IEC 61508 compliant equipment by an independent third party. These assessors
• S
elf-qualification of the equipment based on usually issue a compliance report and a certificate.
the prior use clause in IEC 61511 The value of these certificates is dependent on the
The majority of the industry, with the exception of specific assessor. It is therefore important to ensure
extreme weather locations, use the option of IEC that the assessor adheres to the following minimum
61508 compliant equipment where the manufacturer requirements:
provides a standardized certificate, failure-rate data • Accreditation by a recognized third party
and safety manual. Selecting IEC 61508 equipment
generally results in less work when implementing the • Competency within the field of functional
SIS. safety
• Proper engagement in the development
Self-qualification is a comprehensive process for the project
designer of the SIS that relies on the availability of
relevant historic data for the specific equipment.
Another difficulty for the designer is to develop
testing methodologies and assessing their
effectiveness. Certain vendors provide theoretical
failure-rate data that can be taken into consideration
but it is important to be aware that this does not
alleviate the designer of the SIS from any of the self-
qualification requirements.

5.1.1.6 The different scopes of IEC 61508 and IEC 61511

The two standards IEC 61508 and IEC 61511 are

commonly confused. IEC 61508 is an industry
independent standard for SIS, whereas IEC 61511 is
one of several industry specific versions of IEC 61508.
IEC 61511 is intended specifically for users in the
process industry.
Equipment manufacturers are not considered to be
users in the process industry sector and consequently
the applicable standard is IEC 61508.
Figure 5.5: Third party assessors generate certificates stating that the
IEC 61511 explicitly states: equipment conforms to IEC 61508

“[this standard]… does not apply to manufacturers

wishing to claim that devices are suitable for use in
safety instrumented systems”.

5.1.2 IEC 61508 Certification

Equipment can be developed to conform to the
requirements in IEC 61508. The foundation of the
standard is the safety life-cycle depicted in figure 5.4.
The intention of this is to maximize the reliability of
the device through a holistic perspective.
Conformance to IEC 61508 is a rigorous process. It
involves not only the hardware and software design
of the product, but also the associated processes to

48
 5 - Industry standards

A product developed according to IEC 61508 implies 5.1.3 IEC 61511 applied to modern overfill
that: prevention
• T
he developer has to have a rigorous Modern overfill prevention requires that automatic
documented management system including: overfill prevention systems (AOPSs) are designed
oo Product development process according to the most recent globally accepted
standard which is currently IEC 61511. This standard
oo Manufacturing process provides a solid framework throughout the life-time
oo Documentation system of the AOPS.
oo Management of change process It is important to understand that IEC 61511 is
oo Lessons learned system focused solely on SIS and therefore does not cover
oo Quality system all the elements of modern overfill prevention (see
chapter 3 “Key elements”). For example, it does not
• During the design of the product the following
cover:
must be included:
oo Failure Modes and Effects Analysis (FMEA) • Internal and external requirements such as
regulations and local standards
oo Comprehensive testing including fault
insertion tests • Process design
oo Documentation that provides traceability • Overfill Management System (e.g. lessons
and evidence for all safety requirements learned procedures)
oo Development of proof-testing procedures • Non-safety layers (i.e. Basic process control
system, Passive protection, and Emergency
• Comprehensive user documentation
response layers)
requirements rendered in a:
The performance (risk) based approach in IEC
oo Safety manual
61511 corresponds to the legislative approach
• Involvement of a third party assessor that “Performance based regulation” but does not
requires and issues: cover all the elements of “Performance based with
oo Audits extensions regulation”.
oo Compliance reports IEC 61511 is one of multiple invaluable elements of
oo Certificates modern overfill prevention.
Products developed and independently assessed for
conformance to IEC 61508 is a lengthy and costly
process for the manufacturer. This assessment
however generates several benefits for the user:
• Quality assurance
• Quantified reliability figures and classification
of safety integrity level (SIL) capability
• Proper documentation covering all parts of the
life-cycle
oo Product information and data (e.g.
reliability and product life-time)
oo Procedures (e.g. installation and proof-
testing)
oo Drawings

49
 5 - Industry standards

5.2 API 2350: “Overfill Protection for The standard is a mix of prescriptive and performance
Storage Tanks in Petroleum based requirements. It requires a risk assessment to
Facilities” be conducted and evaluated against the tolerable
risk, while still describing the minimum required tank
With the introduction of the 4th edition, which was overfill equipment on the tank.
a major change compared to previous editions, API
2350 became the first globally recognized overfill A common confusion relates to the standard
prevention standard for the bulk liquid storage in the tank categories that are required to be
industry. determined and the associated minimum equipment
requirements. In practice, most modern facilities are
category 3 according to the API 2350 classification
API 2350 and require the usage of an Automatic Tank Gauging
(ATG) system with independent overfill prevention
Use this standard for: Overfill Protection in
system (OPS). Additionally, when the required
…… Process Industry risk assessment is conducted it is unlikely that the
determined equipment requirements are lower than
;; Bulk Liquid Storage Industry the API 2350 specified minimum requirements.
Note: API 2350 contains generic principles that API 2350 accepts both MOPS and AOPS, but in case
are also applicable to the process industry sector the latter is used, the basic practical requirement is
(although this is not the intended scope) that it shall be designed according to IEC 61511. The
standard does not place any specific requirement
on the AOPS’s SIL. Instead, this is referred to the risk
The purpose of this standard is to provide a holistic assessment.
perspective that is synchronized with (but does
not cover all parts of) the legislative approach
“Performance based with extensions regulation”
seen in figure 4.2 in chapter 4.
API 2350 contents include:
• Overfill Management System
• Risk assessment
• Operations and procedures
• Overfill Prevention System
• Tank Gauging System
Although API 2350 is generically written, the
intended scope is non-pressurized above-ground
storage tanks containing petroleum products as
defined in table 5.2:

Class Definition (NFPA 30-2008) Example Covered by API 2350

I Flash Point less than 100°F (38°C) Motor and aviation Yes - Required
gasoline
II Flash Point equal to or greater than 100°F (38°C), Diesel fuel, paint thinner Yes - Required
but less than 140°F (60°C)

III Flash Point equal to or greater than 140°F (60°C) Home heating oil, Yes - Recommended
lubricating oils, motor oil
Table 5.2: Products included in API 2350’s scope

50
6 - Risk assessment

6 Risk assessment

Topic

6.1

Corporate risk management
6.1.1

6.2

6.2.2
6.2.3

6.3
6.3.1
Tolerable risk

Risk analysis
6.2.1

Hazard identification
Hazard and scenario analysis
Risk

Application risk management

Assess risk
Page

53
53

56
56
56
57

57
57
6.3.2 Identify risk reduction options 57
6.3.3 Prioritization 58
6.3.4 Implementation 58

6.4 Monitoring and review 58

6.5 Communication 58

51
 6 - Risk assessment

6. Risk assessment
Risk
Tank fillings Protection layers
Operator

BPCS Automatic Alarm

There are inherent risks in the process and bulk
liquid industries and in particular with tanks Overfill Prevention System (OPS)
containing hazardous substances. The vision is
zero accidents but there is recognition that risk Unacceptable risk
cannot be eliminated completely and instead needs Tolerable risk

to be controlled. This realization resulted in risk

assessment techniques emerging in the process
industry during the 1970s. Today, risk assessment is a
cornerstone of modern overfill prevention because it:
• Creates awareness of hazards and risks
• I dentifies who or what may be at risk and the
potential cost
• D
etermines if existing risk reduction measures
are adequate or if more needs to be done
• Prioritizes risk reduction activities
• Addresses risk over time
• C
an provide both personnel and the public
with transparent information about the actual
risks
An introduction to the concept of risk assessment is
presented in figure 6.1.
Risk assessment is an integral part of both IEC
61511 and API 2350. It is a requirement in countries
that have implemented a performance (risk)
based legislation and sometimes also in countries
with prescriptive legislation. Increasingly it is also
becoming an internal company requirement.
Figure 6.1: Basic concept of evaluating assessed risk compared to tolerable
risk
A risk assessment is no guarantee of zero accidents.
But tank overfills are predictable and risk assessment
is a necessary tool to determine what (if any)
protection layers should be implemented as well as
how they should be designed and managed over
time. In the case where an overfill prevention system
is used to reduce risk, the risk assessment determines
the required safety integrity level (SIL).
There are entire standards (e.g. ISO 31000) and
books dedicated to the subject of risk assessment
that contain numerous models, concepts and
definitions. There is no single definition of what a
risk assessment should contain and it often varies
by context. One basic model that reflects typical
process industry consensus and is useful for overfill
prevention is presented in figure 6.2.

Risk analysis
Hazard identification

Hazard and scenario analysis

Likelihood Consequences

Risk Communication
Corporate risk management
Tolerable risk

Overfill risk management

Monitoring and review
Assess risk

Identify risk reduction options

Prioritization
Figure 6.2: Basic risk assessment model for
overfill prevention
Implementation

52
 6 - Risk assessment
This model is merely informational and is used to
organize subsequent sections; most medium and
large sized companies in the process and bulk liquid
industries already have similar risk assessment
processes in place which, if they are adequate,
may equally be used. Overfill prevention is an
organisational responsibility. The tasks described
in figure 6.2 require team work between a variety
of different competencies including operators,
instrument engineers, maintenance staff, design
engineers and safety specialists.
Subsequent sections describe the individual steps
in figure 6.2, but the procedural aspects are a part
of the overfill management system (OMS) which is
described in chapter 7.
6.1 Corporate risk management
A critical fundament of risk assessment is for
corporate risk management to define the amount of
risk that the company deems acceptable, commonly
denoted as “tolerable risk”.
Some countries, territories or even cities (e.g. United
Kingdom, South Wales in Australia and Hong Kong)
have regulations for tolerable risk, commonly based
on the consequence of fatalities. These need to be
taken into consideration when defining the corporate
tolerable risk levels in case the company only
operates in that territory; otherwise these should
be taken into consideration during the “application
risk management” phase in the step “assess risk”
described further below.
Probability
Intolerable risk
Tolerable risk
Consequence
Figure 6.3: Simplified example with tolerable risk
53
6.1.1 Tolerable risk
Risk consists of two components: Probability x
Consequence. Probability is equivalent to the
probability of a certain identified hazard occuring,
and consequence reflects the severity of such an
incident. The consequence factor, and thereby also
the concept of risk, is ambiguous since it can be
defined differently. In the process and bulk liquid
industries it is common to define the consequence
factor as having an adverse effect on:
• Health
• Environment
• Company image
• Asset or property
• Loss of production
• Financial impact
The tolerable risk can be defined as multiple risk
levels based on different consequences. Companies
need to consider carefully the definition used for
tolerable risk since it indirectly communicates the
company’s safety focus. A direct consequence of
the tolerable risk format is that it determines the
structure and outcome of the risk assessment.
6.1.1.1 ALARP
In theory, the tolerable risk can be defined as one
absolute value for each selected consequence, as
depicted in figure 6.3.
In practice the determination of tolerable risk is more
complex, which the following example indicates.
Spending £1m to prevent five staff suffering bruised
knees may be disproportionate; but to spend £1m
to prevent a major explosion capable of killing 150
people is obviously in proportion.
 6 - Risk assessment
Probability
Therefore the British Health and Safety Executive
(HSE) invented the principle of ALARP which is an
abbreviation of “as low as reasonably practicable”.
Reasonably practicable involves weighing a risk Intolerable risk
against the trouble, time and money needed to
control it. The purpose is to enable proportionate
risk reduction measures and the principle has been AL
AR
widely adopted in the process industry and by other P
countries. An overview of the principle is depicted
in figure 6.4 and the specific numbers used in the Tolerable risk
United Kingdom are presented in figure 6.5 along Consequence
with a comparison in figure 6.6. Figure 6.4: The principle of “as low as reasonably practicable” (ALARP)

Fatalities/man-year
2 3 5 6 7 8 9
Intolerable Risk

Australia (NSW)
Tolerable risk
ALARP Hong Kong
ALARP
Netherlands
Tolerable Risk Intolerable risk
United Kingdom

Figure 6.5:Typical depiction of tolerable risk

levels as defined by the British Health and Safety Figure 6.6: Comparison of tolerable risk levels for the consequence of fatalities
Executive (HSE)

6.1.1.2 Tolerable risk examples environment and financial losses. The risk graphs
may either be quantitative, semi-quantitative or
The theoretical models described above are typically
qualitative as described in figure 6.7 and 6.8.
implemented by corporations as multiple risk
graphs for the selected consequences, e.g. health,
Consequence

Catastrophic STOP
Catastrophic
Unacceptable URGENT ACTION

Undesirable ACTION
Significant
Acceptable MONITOR

Desirable NO ACTION
Moderate

Low

Negligible

Improbable Remote Occasional Probable Frequent

Figure 6.7: Example of qualitative corporate risk graph

Probability

54
 >0.1/yr <0.1/yr <10-2/yr <10-3/yr <10-4/yr
Health Asset Environment Company image
Likely Probable Occasional Remote Improbable
Multiple fatalities Extensive International
(<10-5/yr) damage Massive effect impact Stop Stop SIL 3 SIL 2 SIL 1
(>$10M)
Single fatality Major damage
6 - Risk assessment

(<10-4/yr) (<$10M) Major effect National impact Stop SIL 3 SIL 2 SIL 1 SIL 0
Major injury Major damage Localized effect Considerable SIL 3 SIL 2 SIL 1 SIL 0 OK

55
(<10-3/yr) (<$500K) impact
Minor injury Minor damage Minor effect Minor impact SIL 2 SIL 1 SIL 0 OK OK
(<10-2/yr) (<$100K)
Slight injury Slight damage Slight effect Slight impact SIL 1 SIL 0 OK OK OK
(<0.1/yr) (<$10K)
None None None None OK OK OK OK OK
Figure 6.8: Example corporate risk matrix. Worst-case consequence outcome determines the required risk reduction
 6 - Risk assessment
6.2 Risk analysis
6.2.1 Hazard identification
The first step of the risk analysis is to conduct hazard
identification. A hazard is an object, a property of a
substance, a phenomenon, or an activity that can
cause adverse effects. This is not to be confused with
a risk, which is the probability and consequence of a
hazard actually causing its adverse effects.
Multiple tools exist to identify hazards such as HAZOP
(hazard and operability study), HAZID (hazard
identification) and “What if analysis”. Usually, these
are based on a checklist containing keywords such
as temperature, level, pressure, chemical reaction
and agitation used as input parameters to identify
hazards.
Within the scope of this book, the hazard
identification covers tank overfills.
6.2.2 Hazard and scenario analysis
Numerous techniques can be used to estimate the
risk of a tank overfill. These techniques can be based
on either historical data or an analytical approach, or
a mix of the two. Ultimately they all depend on the
estimation of the probability and the consequence of
a tank overfill.
6.2.2.1 Probability estimation
The probability of an overfill occurring depends on a
number of different parameters. API 2350 provides
a useful list of considerations which were originally
intended for the bulk liquid industry, but to a large
extent are also applicable to the process industry:
• Frequency, rate and duration of filling
• Systems used to properly measure and size
receipts to tanks
• Accurate tank calibration
• Systems used to monitor receipts
• Extent of monitoring and supervision of
manual and automatic tank gauging
• Impact of complexity and operating
environment on the ability of operating
personnel to execute overfill prevention tasks
• Filling multiple tanks simultaneously
• Switching tanks during receipt
A basic example based on an analytical model and
the risk reduction factors specified in IEC 61511 is
provided in figure 6.9. The example assumes that the
56
Initiating Protection Protection Protection
Outcome
Event Layer #1 Layer #2 Layer #3
Tank filling Operator BPCS Automatic OPS (SIL2) Tank overfill
Alarm
1/100=0.01 0.3%/year
1/10=0.1
1/10=0.1
30 / year
No event
Figure 6.9: Example probability estimation of tank overfills using an event-
tree analysis
operator and BPCS automatic alarm are independent
- which is not always the case.
In the example given in figure 6.9, an operator is
estimated to reduce overfill risk by a factor of 10. A
BPCS automatic alarm reduces risk by an additional
factor of 10 and an independent overfill prevention
system by a factor of 100. Consequently, the three
layers combined results in a risk reduction factor of
10x10x100 = 10,000. Alternatively, the probability
of overfill each filling is 0.01%=1/10,000. With 30
fillings per year, this tank’s yearly overfill probability
becomes 0.3%.
This number can be compared to the historical
data provided by Marsh showing that an overfill
occurs once every 3,300 fillings. (Marsh & McLennan
Companies, 2001). In other words, the average risk
reduction factor of protection layers against overfill
currently being used is 3,300, and probability of
overfill each filling is 0.03%=1/3,300. Three times as
unsafe.
6.2.2.2 Consequences estimation
The consequences estimated depend on the
expected output of the risk analysis, which is usually
governed by the corporate tolerable risk criteria.
The assessed consequences depend on a number of
different parameters. API 2350 provides a useful list
of factors to take into consideration. This is intended
for the bulk liquid industry, but is to a large extent
also applicable to the process industry:
• Hazard characteristics of material (product)
in tank
• Volatility, flammability, dispersion, vapor
cloud explosion potential
• Number of people onsite who may be affected
by a tank overfill
• Number of people offsite who may be affected
by a tank overfill
 6 - Risk assessment
• Possibility of a tank overflow resulting in
escalation of hazardous events onsite or
offsite
• Possibility of impact to nearby sensitive
environmental receptors
• Physical and chemical properties of product
released during overflow
• Maximum potential overfill flow rates and
duration
A simplified example based on an event analysis is
provided in figure 6.10. In this fictitious scenario,
Product in secondary
containment
100%
Tank overfill
Event #n
Event #1
Figure 6.10: Parts of a simplified example consequence analysis of a tank overfill.
6.2.3 Risk
Combining the probability and consequences result
in an estimation of the risk.
Using the examples provided in figures 6.8 and 6.9,
the estimated risk for a single tank to experience
a single event of product in the secondary
containment is $1,440/year = 0.3%/year x $480,000.
Notice that this is an incomplete fictitious example;
when including other events and consequences such
as fatalities, injuries, environment, company image,
asset damages and loss of production the risk is likely
to be much higher.
6.3 Application risk management
6.3.1 Assess risk
The estimated risk obtained from the risk analysis
needs to be assessed to determine if additional
the estimated financial consequences from the
single event of product overfill into secondary
containment is estimated as $480,000 in clean-up
costs. As shown in figure 6.10, this estimation is
based on the assumption that 80% of the product
will be contained by the secondary containment
costing $250,000 (80%x 350,000), 5% will overfill
the secondary containment costing an additional
$50,000 (5% x $1,000,000) and a final 15% leakage
from the secondary containment will drive yet
another $150,000 (15% x 1,000,000).
80% Product is contained within
secondary containment Clean-up cost $350K
5% Product overfills secondary
Clean-up cost $1m
containment
15% Secondary containment Clean-up cost $1m
leaks product
(or less) risk reduction is required. Often several
stakeholders need to be taken into consideration:
1. Corporate tolerable risk criteria
2. Regulatory requirements
3. Industry standards and RAGAGEP
During this step, it will be determined how much
(or little) risk reduction for a tank overfill is required.
When determining the required risk reduction it is
essential to not only consider current requirements
but also expectations for the future. Historically the
tolerable risk has been decreasing, and it is probable
that this trend will continue. According to the
Flixborough report:
“… for what is or is not acceptable depends in
the end upon current social tolerance, and what
is regarded as tolerable at one time may well be
regarded as intolerable at another.”
57
 6 - Risk assessment
For example, if current requirement is a risk
reduction factor of minimum 100 (SIL 2), then the
input to subsequent steps in the risk management
process may be that a risk reduction factor of
1,000 (SIL 3) is recommended, or alternatively the
identified risk reduction option shall be SIL 2 but
easily upgradable to SIL 3.
6.3.2 Identify risk reduction options
The purpose of this step is to identify options to
sufficiently reduce the risk of a tank overfill. Typically,
several different options are available:
• Inherent process design change
• C
hanges in the Overfill Management System
(e.g. operational procedures)
• I mplementing additional protection layers or
modifying the existing ones
The identified risk reduction options should be
accompanied with the information required for
subsequent prioritization:
• Risk reduction factor
• T
ype of risk reduction; prevention or
mitigation
• Cost
• Time to implement
• O
perational costs such as maintenance and
testing
• Effect on operations
• U
pgrade cost to increase the risk reduction
factor
It should be noted that according to IEC 61511, the
risk reduction factor is limited to 10 for protection
layers that are not designed according to IEC 61511.
6.3.2.1 Consequence reduction
Protection layers such as secondary containment
and fire patrol are targeted towards reducing the
consequence. Although these protection layers
reduce the risk, the result is only a mitigation of the
tank overfill.
6.3.2.2 Probability reduction
Protection layers such as the BPCS and overfill
prevention system are designed to reduce the
probability of a tank overfill through prevention.
58
6.3.3 Prioritization
During this step, it should be decided what risk
reduction option to use and the prioritization
compared to other projects in the company.
When determining what risk reduction option to
use it is especially important to evaluate whether the
solution prevents or mitigates the risk, and whether
the risk reduction option meets future requirements.
In the case of tank overfill, the most commonly
selected risk reduction option is an overfill
prevention system (OPS) because it:
• Prevents (rather than mitigates) the risk of tank
overfill
• Is the considered Recognized And Generally
Accepted Good Engineering Practices
(RAGAGEP)
• Commonly a regulatory requirement
• Can provide a higher risk reduction factor than
10 if designed according to IEC 61511
• Is the most cost efficient approach
6.3.4 Implementation
During this phase, the risk reduction option is
implemented. In case the selected risk reduction
option is an overfill prevention system, more
information can be found in chapter 7.
6.4 Monitoring & review
Risk assessment is a life-cycle process that requires
continuous monitoring, review and management of
change.
6.5 Communication
Modern risk assessment recognizes the value of
providing both personnel and the public with
transparent information. This includes the results
from the risk analysis, risk management and
monitoring and review phases (e.g. inspection
protocols and proof-test records).
7 - Overfill management systems

7 Overfill management
system

Topic

7.1
7.2
7.3
Why OMS is needed
The basic elements of OMS
Success factors
Page

60
61
61

59
 7 - Overfill management systems

7. Overfill (OSHA) Process safety management (PSM) regulation

management An OMS can help reduce the number of tank overfills
system
Traditionally, tank overfills are attributed to
malfunctioning equipment. Although this is often
a contributing factor, the actual root cause is often
more complex and involves human behavior.
Therefore, a critical part of modern overfill prevention
is to establish an adequate Overfill Management
System (OMS) that is implemented throughout the
organization, including how it actually works in the
field.
The Center for Chemical Process Safety describes
management systems as “a formally established
and documented set of activities designed to
produce specific results in a consistent manner on
a sustainable basis” (CCPS Guidelines for Risk Based
Process Safety, AIChE). Although a large task at
first, the creation of an adequate OMS is not just a
necessity to prevent tank overfills, it also eventually
results in a more efficient facility.
The relation between OMS, corporate management
system and safety management system is described
in figure 7.1.
7.1 Why is an OMS needed?
Most companies today have implemented generic
management systems, but not necessarily a specific
system for overfill management. The need for OMS is
however becoming increasingly recognized. It is an
integral part of API 2350, and it is incorporated into
the Occupational Safety & Health Administration’s
in the US and through the Seveso directive in Europe.
in the following ways:
• OMS ensures that overfill prevention is
prioritized and that risk for overfills is
appropriately addressed
• OMS ensures that the tools needed to
systematically identify potential and actual
hazards and manage risks are provided and
supported by management
• OMS ensures that incidents and near misses
are systematically analysed to determine the
root causes of overfills
• OMS ensures that equipment, procedures and
operations are continuously evaluated and
improved as needed to prevent and control
overfills
• OMS ensures that the personnel who manage
and operate tank facilities are knowledgeable
and trained in the basic principles of overfill
prevention and protection
• OMS ensures that organizations have the
information needed to support business
decisions that justify necessary resources,
and appropriate controls and other measures
needed to reduce risks to acceptable levels
• OMS ensures appropriate allocation of
resources for overfill prevention
• OMS ensures that management, supervisory
and employee behavior, attitudes, values,
skills and actions are totally committed to
preventing, managing and controlling overfills

Corporate
Management
System

Safety Overfill
Management Management
system System

Figure 7.1: Venn diagram perspective showing how OMS relates to other
corporate management systems

60
 7 - Overfill management systems

7.2 The basic elements of OMS 7.3 Success factors

There is no commonly accepted way to organize and
name the elements of an OMS. Text box 7.1 provides
a listing of common elements included in an OMS as
a part of a modern overfill prevention approach.
Key Element 1: Safety and environmental oo O
advocacy
Key Element 2: Safety and environmental
information
Key Element 3: Risk assessment
Key Element 4: Management of change
Key Element 5: Procedures and safe work
practices
Key Element 6: Training and competent together, so that proactive hazard
personnel
Key Element 7: Equipment integrity
Key element 8: Conformance to industry and accepted principles of operation
standards
Key Element 9: A permit system
Key Element 10: Pre-startup safety review
Key Element 11: Pre-shutdown safety review
The key elements of an OMS are generic, but the
implementation is company and facility specific.
Established success factors for an OMS to be effective
include:
• Top management support
MS must be established, implemented
and actively and continuously supported by
the organization’s leadership
• Employee engagement
oo OMS requires formal leadership
responsibility and accountability at all
levels of the organization
• Safety culture
oo OMS requires correctly aligned behaviour
and attitudes by all employees, working
identification, risk management,
information control, training, procedures,
and management of change are recognized
• Continuous improvement
oo OMS requires continual review, evaluation
and improvement through activities such
as incident and accident investigation,
audits and management of change.

Key Element 12: Emergency response and

control
Key Element 13: Near miss and incident
investigation
(“lessons learned”)
Key Element 14: Auditing
Key Element 15: Document and data
information management
systems
Key Element 16: OMS oversight, review,
reevaluation and
adjustment

Text box 7.1: Common elements of an overfill management system (OMS).

The listing is a customized version of OSHA’s PSM regulation.

61
7 - Overfill management systems

62
8 - Overfill prevention system

8 Overfill prevention system

Topic

8.1
8.2

8.3
8.4
8.5
Manual overfill prevention system
Automatic overfill prevention
system
AOPS vs. MOPS
Hardware fault tolerance
Levels of concern
65
Page

64

66
66
68

63
 8 - Overfill prevention system

8. Overfill OPSs should always be separate and independent of

BPCSs, but are present in the following two types:
prevention manual overfill prevention system (MOPS) and
automatic overfill prevention system (AOPS).
system
8.1 Manual overfill prevention
system
A multitude of protection layers are required to
MOPS is dependent upon human actions. It usually
prevent an overfill from occurring. However, the
consists of a level sensor that through an audiovisual
protection layer most commonly associated with
alarm notifies an operator that is expected to take
overfill prevention is the safety layer that is usually
appropriate actions to prevent an overfill, e.g.
denoted overfill prevention system (OPS).
manually closing a valve, as depicted in figure 8.1.

Manual Overfill Prevention System (MOPS) Basic Process Control System (BPCS)

LT LT

LC

Figure 8.1: MOPS usually consists of a level transmitter (LT) connected to an audiovisual alarm that notifies an operator to take the appropriate
action, e.g. closing a valve. API 2350 classification: category #3.

64
 8 - Overfill prevention system

8.2 Automatic overfill prevention

system
An AOPS consists of the following principal
components:
It is also common that the AOPS consists of the
following non-safety critical functions:
• Notification to operators through both
audiovisual and screen alerts
• Actions to protect plant assets such as
stopping pumps
A typical AOPS is presented in figure 8.2.

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

LT LT

SIS LC

Figure 8.2: AOPS usually consists of a level transmitter (LT), logic and actuator which automatically closes a valve to prevent overfills from occurring.
The logic may also execute non-safety critical tasks such as shutting down a pump and notifying the operators through audiovisual alerts. API 2350
classification: category #3.

65
 8 - Overfill prevention system
AOPS is a safety instrumented function (SIF) and
table 8.1 describes when conformance to IEC 61511
is a requirement. reduction factors also above 10
Risk Reduction SIL Conformance to IEC
Factor 61511
<10 0 Recommended
>10 1,2,3,4 Required
Table 8.1: AOPS conformance requirements to IEC 61511 according to IEC
61511
AOPS is a safety instrumented function (SIF) and
table 8.1 describes conformance to IEC 61511 as
recommended for AOPS that are SIL 0, although
it is not required. The background is that safety
requirements are continuously increasing, and what
is SIL 0 today may become SIL 1 in the future. Hence
the future-proof approach is to design SIL 0 AOPS in
conformance with IEC 61511.
Similarly the upgrade of existing OPS is often a
gradual process over several years where the sensors,
logic-solver and actuators are upgraded in different
projects. The existing system may be a MOPS or an
AOPS that was designed before the first edition of IEC
61511 was released in 2003. Often the requirements
are uncertain. Maybe originally the goal is a risk
reduction factor of 10 to 100 (SIL 1) but later evolves
to 100 to 1,000 (SIL 2). The future-proof approach to
the inherent uncertainty in many OPS projects is to
select equipment from the beginning that:
1. Can be used in AOPS conforming to IEC 61511
as described in section “Equipment selection”
chapter 5
2. Can be used, or easily upgraded, to meet a
higher SIL than currently expected (target = SIL
requirement + 1)
Input to the selection of individual components
in an OPS can be found in chapter 10 “Equipment
selection”.
8.3 AOPS vs. MOPS
MOPS has traditionally been used in some
applications because it is easier to implement, has
lower initial capital expenditure and less complexity.
However, modern overfill prevention takes
preference to AOPS in conformance with IEC 61511
rather than MOPS because:
• Humans are inherently unreliable, and
therefore MOPS is limited to a risk reduction
66
factor of 10 according to IEC 61511. AOPS in
conformance with IEC 61511 can offer risk
• AOPS can considerably shorten response times
compared to MOPS. It is not unusual that a
MOPS has a 15 minute response time, whereas
an AOPS has below 1 minute
• MOPS requires personnel in the field in
potentially unsafe working conditions
• AOPS reduces workload for operators
• IEC 61511 / 61508 offers equipment with
accreditation by third party assessors with
standardized failure-rate data and safety
manuals
8.4 Hardware fault tolerance
An AOPS needs to consist of a sensor, a logic solver,
and an actuator. However, it is a common practice
to add more than one of certain elements within
the same AOPS. This is referred to as a system’s
Hardware Fault Tolerance (HFT) and can be employed
to increase both reliability and availability of an OPS.
Hardware Fault Tolerance (HFT) can be employed
to both increase the reliability and availability of an
OPS as described in the following examples. Figure
8.3 illustrates the most basic setup. A single sensor is
connected to a single logic solver that communicates
with a single actuator. There are no redundant
elements, hence HFT=0. This system is referred to
as 1oo1 (1-out-of-1) since each element single-
handedly determines the action of the system.
An alternative approach is to add a second actuator
as illustrated in figure 8.4. There is 1 redundant
actuator, which makes HFT=1 for this setup. It is
referred to as 1oo2 (1-out-of-2) since only 1 of the
2 actuators needs to successfully close in order to
prevent an overfill. This setup will increase reliability,
but decrease the availability.
A third, and increasingly common alternative is to
use a configuration of 2oo3 (2-out-of-3) sensors. The
MOPS will close the valve when 2 of the 3 sensors
agree that it is the proper action to take. With 2
redundant sensors, HFT increases to HFT=2, and in
comparison to a 1oo1 configuration, this provides
both increased reliability and availability.
 8 - Overfill prevention system

LT SIS

Figure 8.3: OPS consisting of 1oo1 sub-systems (HFT = 0)

LT SIS
Figure 8.4: OPS consisting of 1oo2 actuators (HFT = 1). This configuration increases the reliability, but decreases the availability, compared to a 1oo1
configuration

LT

LT SIS

LT

Figure 8.5: OPS consisting of 2oo3 sensors (HFT = 2). This configuration increases both the reliability and availability, compared to a 1oo1 configuration

67
 8 - Overfill prevention system
8.5 Levels of concern
A critical aspect of overfill prevention is to correctly
define the levels of concern (LOC) which include
Critical High (CH), Level Alarm High High (LAHH or
simply HiHi) and Maximum Working Level (MWL)
as depicted in figure 8.6 and described in table 8.2.
Figure 8.6: The Levels Of Concern (LOC) for tank overfill prevention
According to API 2350 the level alert high (LAH) is
not included as a LOC but it may optionally be used
for operational purposes. Note the difference in
terminology: LAHH is an alarm whereas LAH is an
alert. According to API 2350 an alarm is safety critical
and requires immediate action whereas alerts are
optional non-safety critical notifications.
Determining the LOC is a rigorous process where
both internal and external requirements (chapter
5 “Industry standards” and chapter 4 “Regulatory
requirements”) should be taken into account as well
Level of concern (LOC) Abbreviations
Critical High Level CH
Level Alarm High-High LAHH
Maximum Working
MWL
Level
Table 8.2: API 2350 definition of The Levels Of Concern (LOC) for tank overfill prevention
as the performance of the OPS and BPCS.
CH – LAHH = Max level rate x Response time +
Safety margin
The location of the LAHH is commonly determined by
the following steps:
• The maximum level rate is calculated. Typically
based on the maximum flow-rate and the
diameter of the tank. Note that the diameter
in the tank may vary and this must be taken
into consideration
CH
• The response time is determined. This must
take the entire OPS into account. More
LAHH specifically:
MWL oo AOPS: the sum of the worst case response
times of the sensor, logic and actuator
oo MOPS: the sum of the worst case response
times of the level sensor, notification
system and subsequent manual actions.
The response time of the manual actions
may include the time for the operator to
observe the alarm, the time it takes to
communicate the alarm to a field operator,
time for a field operator to travel to the
actuator, and the time it takes to activate
the actuator
• The safety margin to be used is defined, which
is ultimately a corporate decision
• Finally, LAHH is calculated by the following
formula: LAHH = CH - Max level rate x
Response time - Safety margin
Changes of the LOC should undergo a management
of change process, which is a part of the overfill
management system (OMS) described in chapter
7. Consequently, the LOC should not be changed
frequently or temporarily due to, for example,
operational inconveniences.
Definition
The highest level in the tank that product can reach without
detrimental impacts (i.e. product overflow or tank damage)
An alarm is generated when the product level reaches the high-
high tank level.
Note that an alarm is safety critical and requires immediate
action (whereas alerts are optional non-safety critical
notifications)
An operational level that is the highest product level to which
the tank may routinely be filled during normal operations
68
9 - Proof-testing

9 Proof-testing

Topic

9.1

9.2

Proof-testing requirements
9.1.1
9.1.2
IEC 61511
API 2350

Proof-test interval
9.2.1
9.2.2

9.3
IEC 61511
API 2350

Traditional approach to overfill

prevention 75
Page

71
71
72

72
72
75

9.3.1 Traditional Proof-testing procedures

exemplified with point-level
sensors 75

9.4 Modern approach to proof-testing 77

9.4.1 Benefits 77

9.5 Implications 79

69
 9 - Proof-testing
9. Proof-testing
The purpose of proof-testing is to detect random
hardware failures to verify that commissioned
equipment already in operation functions correctly.
It is executed periodically and thereby differs from
the site acceptance test (SAT) which is executed as a
part of the commissioning or management of change
process to detect systematic (human) errors.
Proof-testing is a useful tool to reduce the probability
of failure of infrequently used safety systems. It is
associated with the safety layer and not the BPCS
which is always in use and is therefore (at least
theoretically) assumed to be continuously verified.
The BPCS may need periodic verification but this is
typically not denoted proof-testing since the purpose
is different (e.g. accuracy verification rather than
detecting random hardware failures). In this guide,
proof-testing is synonymous with verification of the
overfill prevention system (OPS).
Proof-testing is generic and applies to any type
of equipment. It is critical that the entire safety
function and associated equipment are included. At a
minimum, there will be a sensor, actuator and a logic
solver, but for an OPS, this could be interpreted as
level sensors, a PLC, valves, emergency stop buttons,
and audiovisual alarms. See figure 9.1.
Overfill Prevention System (OPS)
LT
SIS
Figure 9.1: Proof-testing applies to all components of an overfill prevention system (OPS)
70
The industry’s focus on this particular subject has
increased in recent times, mainly due to:
• Ever-increasing need for safety and efficiency
improvements
• The introduction of IEC 61511 which
emphasizes the safety life-cycle approach
(figure 5.4) along with providing a theoretical
framework for proof-testing and a quality
metric (the coverage factor)
• A number of high profile accidents where lack
of proper proof-testing was suspected to be
one of the root-causes (e.g. the Buncefield
accident)
The trend in the industry is to include proof-testing as
a key selection criterion when purchasing equipment
since the cost to execute once the equipment has
been commissioned can be considerable. Other
important aspects involve personnel and process
safety.
Basic Process Control System (BPCS)
LT
LC
 9 - Proof-testing
9.1 Proof-testing requirements
9.1.1 IEC 61511
Proof-testing is an integral part of IEC 61511 with
numerous requirements presented throughout the
safety life-cycle. The most important ones are listed
below. Note that even if the scope of IEC 61511 is
the safety critical components of an AOPS, most
requirements are equally applicable to a MOPS or
non-safety critical equipment used in an AOPS.
According to IEC 61511, basic proof-testing
requirements shall already be included in the safety
requirements specification (SRS) in the safety life-
cycle step “safety requirements specifications for the
safety instrumented system” (figure 5.4):
• Internal and external (e.g. functional,
regulatory, insurance, company, site specific)
requirements and relevant industry standards
shall be documented
• It is recommended that the requirements
for the desired proof-testing interval are
specified. For example, if proof-testing is to
be performed only during planned shutdowns
(e.g. every 5 years), the design might require
additional redundancy compared to where
annual proof-testing is implemented. As a
result, the necessary parameters to calculate
the proof-test interval also need to be
specified
• Any requirements on overrides/inhibits/
bypasses shall be documented
Furthermore, the IEC 61511 states that developing
the proof-test procedure is an integral part of the
design of the safety function. Consequently, the
design of the proof-test procedure is not something
that should be conducted “after the fact”. The
following requirements are applicable for the safety
life-cycle step “design and engineering of safety
instrumented system” (figure 5.4):
• The proof-test may be carried out either end-
to-end or by one element at a time (i.e. sensor,
logic-solver, actuator)
• The proof-test procedure shall include
overrides/inhibits/bypasses and how they will
be cleared and how operators are notified
• I ncorrectly performed testing can be
dangerous. It is therefore important that the
procedures are realistic to prevent deviations
during execution, and that both process
and personal safety concerns are taken into
71
consideration. Testing personnel often have
valuable experience and it is recommended
that they are included during the development
of the procedures and ultimately approve
them. This additionally ensures compliance
with current facility specific practices
• C
are should be taken with human factors
while designing proof-test procedures. For
example, change of sensor configuration shall
not be required as a part of the procedures
and bypass switches shall be protected by key
locks or passwords to prevent unauthorized
use
• T
he proof-test procedures shall be properly
documented and templates with pass/fail
criteria for equipment verification shall be
developed. The documentation shall also
include instructions for maintaining process
safety during the proof-test and behavior on
detection of a fault
• P
roof-test interval shall be calculated and
documented
IEC 61511 also specifies proof-test requirements
for the safety life-cycle step “operation and
maintenance” (figure 5.4):
• P
roof-testing can be dangerous. Immediate
safety concerns can arise, or the safety
function may be forgotten in an inoperable
state. It is therefore critical that the proof-test
is performed by qualified personnel who are
properly trained and execute the procedure
exactly according to the instructions, without
any deviations
• T
he user shall maintain records that certify
that proof-tests and inspections were
completed as required. These records shall
include the following information as a
minimum:
oo Description of the tests and inspections
performed
oo Dates of the tests and inspections
oo Name of the person(s) who performed the
tests and inspections
oo Serial number or other unique identifier of
the system tested
oo Results of the tests and inspection
 9 - Proof-testing
9.1.2 API 2350
API 2350 provides requirements for testing of overfill
prevention systems which are equally applicable to
both MOPS and AOPS. The requirements are similar
to those found in IEC 61511, although targeted
specifically towards the bulk liquid industry. The most
important requirements are:
• Proof-test procedures shall be documented
and schedules for periodic proof-testing shall
be established
• P
roof-test records shall be maintained for at
least three years
• T
he personnel executing the proof-testing
shall be competent. The facility is responsible
for assigning dedicated personnel and
providing appropriate training
9. 2 Proof-test interval
There are two basic methods for the determination of
a proof-test interval:
• P
rescriptive method with predetermined
interval
• A
nalytical method based on equipment
reliability and required risk reduction
The traditional approach is to use a predetermined
interval which may result in an over or under
engineered solution. The modern approach therefore
uses the analytical method to calculate an interval
appropriate for the specific safety function.
In practice, a number of factors based on internal and
external requirements must be taken into account
when determining the proof-test interval. The
remainder of this section describes the requirements
according to IEC 61511 and API 2350.
9.2.1 IEC 61511
According to the IEC 61511 methodology, the most
important factors affecting the proof-test interval
are:
• The safety functions risk reduction factor (RRF)
• The reliability of the device (λDU)
• P
roof-test effectiveness (coverage factor) and
existence of partial proof-testing
• M
ission time, i.e. the time from a system’s
start-up until its replacement or refurbishment
to as-new condition
72
9.2.1.1 The bathtub curve
IEC 61511 provides a theoretical framework for the
calculation of the proof-test interval. An important
fundamental assumption for that framework is that
the random hardware failure rate of a level sensor
is constant during its useful lifetime. This is often
referenced as the middle section of a so called
bathtub curve. The bathtub curve is a widely used
model in reliability engineering and a more detailed
explanation is provided in figure 9.2.
Early Wear-out
Failures Random Failures Failures
Failure Rate
Time
Figure 9.2: The bathtub curve
9.2.1.2 Probability of failure on demand
According to IEC 61511, the proof-test interval shall
be calculated based on the average probability of
failure on demand, denoted PFDavg, during the time
that the safety function is in operation (mission time).
For instance, an overfill prevention system with a high
PFDavg runs a high risk of failing to close a shutdown
valve in an event of excessive tank levels, whereas an
overfill prevention system with low PFDavg is more
reliable. The PFDavg value needs to match the required
risk reduction factor as described in table 9.1.
SIL RRF PFDavg
1 10-100 0.1-0.01
2 100-1,000 0.01-0.001
3 1,000-10,000 0.001-0.0001
4 10,000-100,000 0.0001-0.00001
Table 9.1: Risk reduction factors (RRF) and average probability of failure on
demand (PFDavg) segmented by safety integrity levels(SIL)
Calculating PFDavg involves a multitude of factors.
Software packages exist with complex models
but IEC 61508-6 provides approximate simplified
formulas. Assuming non-redundant configurations
(1oo1) where λDU is the safety function’s dangerous
undetected failure rate and T is the time interval:
PFD ≈ λDU* T
PFDavg ≈ λDU* T / 2
The risk reduction factor (RRF) can be calculated in
the following way:
RRF = 1/PFDavg
 9 - Proof-testing

In case the proof-test interval is an even multiplier of

Example: Calculation of PFD and PFDavg
the mission time, the following simplified formula
using IEC 61508-6 simplified formulas
can be used to calculate the approximate average
An automatic overfill prevention system has a probability of failure:
total failure rate of λDU= 500 FIT = 500 [1/109
PFDavg ≈ λDU*(1-coverage factor) * Tmission time / 2+
hours]. The probability of failure on demand at
λDU*(coverage factor) * Tproof-test interval / 2
T=2 years approximately equals:
Considering that the coverage factor is an indication
PFD≈(500/109) x (2 x 365 x 24) = 0.9 %.
of a proof-test’s effectiveness to detect dangerous
The average probability of failure on demand undetected faults, it is a useful metric for a qualitative
during this period was: assessment of proof test quality.

PFDavg ≈ 0.9% / 2 = 0.45%.

9.2.1.4 Combining a safety function’s sub-systems
This corresponds to a risk reduction factor of
Assuming that a safety function’s components are
RRF=1/0.45%=220 which lies in the SIL 2 range.
independent, its total failure rate may simply be
calculated as the sum of each component.
Probability of failure
on demand (PFD) Sensor Logic Actuator
λDU=λDU +λDU +λDU
Consequently, the total average probability of failure
0.9% on demand can be calculated by adding the PFDavg
values for each component.
PFD(avg)=0.45% PFDavg=PFDavg
Sensor Logic
+PFDavg +PFDavg
Actuator
IT
0F
50
This is critical as it is the total safety function’s PFDavg
Time
that determines the actual proof testing interval. It is
2 years
however still useful to obtain an indicative figure of
Figure 9.3: Example calculation of PFD and PFDavg using IEC 61508-6 the requirements on the different components. One
simplified formulas reason is that each component may be proof-tested
at different intervals. Another is that the system’s
Example 9.1: Calculation of PFD and PFDavg using IEC 61508-6 simplified requirement can be broken down by suggested
formulas guidelines for each component. A commonly used
9.2.1.3 Proof-test coverage factor model that provides guidelines on the suitable split of
a system’s PFDavg between its components is shown
In practice, proof-tests are not 100% effective. The in figure 9.5.
effectiveness of a proof-test is described using the
coverage factor which specifies the share of detected
dangerous undetected failures (λDU). The effect of an
imperfect proof-test procedure (coverage less than
100%) is visualized in figure 9.4.
Logic
15%
Probability of failure
on demand (PFD)
Proof-test with
coverage < 100% Actuator
50%
Sensor
35%

Time

Figure 9.4: The repetitive effect on the probability of failure on demand

caused by an imperfect proof-test procedure Figure 9.5: Commonly used model to estimate the approximate PFDavg
requirements for the different sub-systems in a safety function

73
 9 - Proof-testing

Example calculation: Estimating the proof-

test interval for a level sensor
A level sensor is evaluated for usage in a safety
function that is required to provide a risk
reduction of 200 (SIL 2). The mission time is 9
years and the specified minimum test interval
Figure 9.7: Principal overview bypass pipe used for actuator and valve
is 3 years. According to the data sheet, the level testing.
sensor has a failure rate λDU= 80 FIT the proof-
test coverage is 80%. Should this level sensor be valves. Based on this background, actuator and
considered as a potential candidate for this safety valve manufacturers developed methodologies that
function? only close valves partially, thereby minimizing the
effect on the process. The rationale is that one of
According to the formulas provided in this the most frequent failure modes of a valve is that it
section, the sensor’s PFDavg ≈(80/109)x(1-80%)x(9 gets completely stuck, e.g. due to rust. This type of
x 365 x 24) / 2 + (80/109)x(80%)x(3 x 365 x 24) / test also, to some extent, verifies the actuator and
2 = 0.15%. its connections. Although there is no definition for
the word partial testing, this has been the industry
According to the standard model, the sensor is
terminology for this type of testing. The opposite is
allowed to contribute PFDavg = 35% x PFDavg =
usually denoted comprehensive testing, in this case
35%x 1/200 = 0.18%.
implying that the valve is entirely closed during the
Since the approximate average probability proof-test.
of failure on demand is lower than what can
More recently a similar principle has been applied
typically be assumed for a level sensor in this
to sensors. The rationale can be understood by
application (0.15% < 0.18%) the answer is yes,
segmenting the sensor into functional elements as
this sensor is a potential candidate for this safety
depicted in figure 9.8; Output circuitry, Measurement
function.
electronics, and Sensing element.
Probability of failure
on demand (PFD)
80% coverage
Output circutry

PFD(avg)=0.15% Measurement
electronics
T
FI
80

3 years 6 years 9 years

Time
Sensor Sensing element
Figure 9.6: Visualization of example PFD and PFDavg calculation

Example 9.2: Estimating the proof-test interval for a safety function’s Process Process
sensor

9.2.1.5 Comprehensive and partial proof-testing

Figure 9.8: Sensor segmented into the functional elements Output circutry,
Measurement electronics, and Sensing element.
Proof-testing has traditionally affected tank
operations and thereby caused down-time. This
For sensors, the scope of comprehensive proof-
problem has been especially prominent in continuous
testing includes all of the elements described in
processes, where it may not have been possible
figure 9.8, whereas the scope of partial proof-testing
to close a valve and thereby shut down the flow of
is limited to only one or a few elements (but not all).
incoming or outgoing product. The solution in this
This could be exemplified with testing the analog
case has been bypass pipes as depicted in figure
output signal of a pressure transmitter. This would be
9.7, but the proof-test procedure becomes very
partial proof-testing as it does not verify the integrity
cumbersome with the risk of forgetting manual
of the process seal.

74
 9 - Proof-testing

Usually, partial proof-tests are used to extend the often non-documented procedures have been
time interval of the comprehensive proof-test. cumbersome and in some cases dangerous and
Mathematically, the partial proof-test has a lower resulted in considerable downtime. Documented
coverage factor than the comprehensive proof-test. evidence that the proof-test has been executed
The principal effect on the probability of failure on correctly is often incomplete or nonexisting.
demand is depicted in figure 9.9.
9.3.1 Traditional proof-testing procedures
Probability of exemplified with point level sensors
failure
Comprehensive
Proof-test Although the trend is towards using continuous level
sensors for safety critical measurements, point-
Partial Proof-test
level sensors have been traditionally used for these
types of applications. Over the years, equipment
manufacturers, system integrators and users have
developed several different proof-testing procedures,
which can broadly be separated into the categories
listed below and overleaf.
Time
Figure 9.9: Test coverage of partial and comprehensive proof-testing

Although partial proof-test, which is usually

performed remotely, is useful to extend the Live simulation of alarm condition
time interval of the comprehensive proof-test,
An intuitive proof-testing method is to raise
it is important not to forget the need for visual
and lower the actual product level to verify
inspection.
that the level sensor’s output signal functions
as expected. Although this may appear to be
9.2.2 API 2350 straightforward, in practice this method is time-
API 2350 contains a mixed approach to proof- consuming and, more importantly, it exposes the
testing interval with a prescriptive number specified tank to a dangerous condition. According to API
in conjunction with the alternative of using a 2350 this type of proof-testing method should
performance based approach (in practice this means be avoided.
according to the IEC 61511 approach described
above).
For the prescriptive numbers, API 2350 specifies that:
• P
oint-level sensors shall be proof-tested every
6 months
• A
ll other equipment in the overfill prevention
system shall be proof-tested every 12 months
The type of testing (i.e. partial or comprehensive)
that should be conducted at these time intervals is
not specified.

9.3 The traditional approach to

overfill prevention
Proof-testing has attracted little attention in the
traditional approach to overfill prevention (described
in chapter 3 “Key Elements”). Test effectiveness has
often been low and the test intervals have often not
been determined analytically. The personnel’s trust
in the tests has been low and execution has therefore
not been stringent and often close to random. The

75
 9 - Proof-testing

Bucket testing
Another traditional proof-testing method is to dismount the point level sensor and expose it to the alarm
condition. In practice, this is often performed by inserting the device into a bucket filled with product. This
method requires a visit to the tank and access to the level sensor while the tank is temporarily taken out of
operation. The procedure may be a direct safety concern to the personnel executing the test since it both
exposes the tank to the atmosphere and the bucket contents may be hazardous. Additional precautions
must be taken if it is a pressurized tank or an explosive environment. Ideally, the product in the bucket
should be the same as in the tank, but for safety reasons, water is often used.
When the test is not performed with the media to be
measured, there is an obvious risk that test results
become irrelevant for the true process conditions.
Furthermore, when sensors are dismounted, there
is no guarantee that re-commissioning is correctly
executed. There may be cable glitches, gaskets
missing, loose bolts or even damage imposed to the
sensor itself.
One advantage with this type of testing however,
is that it allows for visual inspection of the sensor’s
wetted parts. For example indications of corrosion
or material incompatibility may be used as input for
predictive maintenance.

Test chambers Test levers

An alternative to live simulation is to mount
the level sensor inside a chamber that can be
mechanically isolated from the tank. By the
usage of external connections, the chamber
can be filled and drained with product (ideally
the same as in the tank), thereby simulating an
alarm condition. This method shares many of
the drawbacks of bucket testing since it exposes
atmosphere and personnel to the product
inside the tank. Additionally, these chambers
are often inaccessible and there is a risk that the
mechanical by-pass is not restored correctly,
rendering the
measurement
inoperable.
To eliminate problems relating to dismounting
and isolation of the level sensor, various types of
in-situ (“in place”) proof-testing methods have
been developed. The most frequent principle
is the usage of test levers that mechanically
simulate the alarm condition. Although the levers
may be spring loaded and originally designed
to fail safe, empirical evidence has shown this is
often not the case. Leaks, corrosion, intermediate
positions, or simply improper handling by
personnel, may result in dangerous failure modes.
This was believed to be one of the root-causes of
the Buncefield accident.

76
 9 - Proof-testing
Test buttons
Versions of the test lever principle have also been
designed for electronic point level sensors, often
implemented as a local test button inside the
level sensor’s enclosure. This can be performed
in-situ but requires an enclosure cover to be
removed, which is a potential risk. Therefore
some designs feature a magnet, which do not
require the cover to be removed.
Designs also exist that incorporate remote
test buttons. These however add components
with additional failure modes that reduce the
overall equipment reliability. Additionally, the
transmitter is not visually inspected.
Due to their nature, test buttons only perform a
partial proof-test (e.g. they may test the output
relay only or certain parts of the electronics). The
primary usage is therefore as a complement to
the comprehensive proof-test procedures that
verify all parts of the level sensor including the
sensing element (e.g. through a bucket test).
In order to assess the value, relevance and
effectiveness of test buttons, it is critical to have
both a qualitative understanding of what failure
modes are covered, as well as a quantitative
coverage factor.
Test button
9.4 The modern approach to proof-
testing
9.4.1. Benefits
Modern equipment provides benefits when
compared to the traditional solutions from both a
safety and an efficiency perspective.
77
The benefits of a modern approach also include
safety improvements
• H
igher test effectiveness (coverage factor)
results in increased reliability of the safety
function
• I ncreased safety for the personnel executing
the tests
• M
inimal impact on process safety during the
tests
• R
educed risk of leaving the tested device
inoperable
• S
imultaneous verification of the level sensor
used in the basic process control system
(BPCS)
Efficiency Improvements
• L abor savings through more efficient
procedures and longer test intervals
• R
eduction in tank down-time and minimized
process impact
• Simplified documentation and auditing
• R
educed engineering time to develop the
bypass, test and restoration procedures
As an example, a proof-test procedure for a
traditional point level measurement is likely to
require approximately 4 hours to complete and
should, according to API 2350, be completed
twice a year. Over a safety function’s lifetime of
10 years, direct labor costs would accumulate to
approximately $8,000. In comparison, proof-test
completion of the modern approach utilizing a
continuous level measurement may be reduced to
30 minutes and is only required once every year.
That corresponds to labour costs of only $500.
This simplified and conservative estimation shows
potential savings of $7,500, which easily provides
financial justification to invest in equipment with
modern proof-testing capabilities. Note that this
does not include additional improvements in terms
of safety and reduced downtime. See detailed
calculation steps below.
Proof-testing point level measurement: 4 hours x 2
tests/year x 10 years x $100/hour = $8000
Proof-testing continuous level measurement: 0.5
hours x 1 tests/year x 10 years x $100/hour = $500
 9 - Proof-testing

Proof-testing radar level sensors: Latest advancements

Selected radar level sensors designed specifically for SIS and certified according to IEC 61508 offer
comprehensive proof-testing functionality such as:
–– Documented procedure with coverage factor above 90%
–– The proof-test can be completed remotely within a few minutes without altering the level
–– Software package with wizards that guide the user and upon completion generate a proof-
test record compliant with IEC 61511 and API 2350
–– Theoretical proof-test intervals exceeding 10 years (SIL 2)

Qualitatively, the principal proof-test procedure is described in table 11.2.

Sensor elements Proof-test Procedure

Output circuitry Relay or analog signal altered

Comparison of level reading with secondary

Measurement electronics
measurement (i.e. BPCS level sensor)

Verification that measurement signal has not

Antenna
degraded significantly and that it is acceptable

Table 9.2: Description of selected radar level sensors’ proof-test procedure segmented by its major components

A radar level sensor functions principally as

a laser pointer; an electromagnetic wave is OPS BPCS
transmitted and received. Therefore, there Output circutry
is no need to test the sensor at the specific
set-point (LAHH) as long as the product in
the tank is further away (lower level) since it
does not provide any additional coverage of Measurement
dangerous undetected failures. electronics

The measurement electronics can be

continuously proof-tested by implementing
level deviation checks between the BPCS- Antenna
and OPS level sensors.
LAHH

Figure 9.10: Example of better proof-testing methods with modern overfill prevention
equipment

Outlook box 9.1: Proof-testing radar level sensors: Latest advancements

78
 9 - Proof-testing

oo I s the equipment’s useful life-time

Proof-testing case: LA Refinery
This Latin American refinery has a tank farm
consisting of 300 tanks. Currently, there is a
work force of 15 employees assigned full time
for monthly testing of each tank’s manual overfill
prevention system, which mainly consists of a
mechanical level switch. Hence, each employee
proof-tests 20 tanks each month, which
corresponds to 8 man-hours per tank and month.
With modern proof-testing procedures, the
completion time may be reduced to 30 minutes
once every year, corresponding to only 150 man-
hours required for a full year’s proof-testing of
the entire tank farm. Consequently, the potential
efficiency improvement is almost 15 full-time
jobs.
Detailed selection criteria is provided in chapter 10
“Equipment selection”.
specified?
• Q
ualitative justification: Is there an
acceptable description of why the equipment
is adequately tested using the proposed
procedure?
• Man-hours to complete the test?
• Safety concerns for the personnel executing
the test?
• Requirements for process alterations (e.g. tank
level movement)?
• Expected downtime?
• Templates for proof-testing records?
• W
hat overrides/inhibits/bypasses are
required?
• Tools required to execute the proof-test?
• I s there a possibility to forget the proof-test in
an unsafe state?

Picture 9.!: Refinery

Case 9.1: Proof-testing case: LA Refinery

9.5 Implications
Proof-testing has become an increasingly important
feature and is now one of the key selection criteria
when selecting equipment for modern overfill
prevention systems. Some of the relevant features
are:
• I s the proof-test procedure properly
described?
• A
re both comprehensive and partial proof-
tests available?
• H
as the proof-test been assessed by an
accredited 3rd party?
• Is the proof-test IEC 61508 certified?
• Quantitative justification:
oo I s the effectiveness (coverage factor)
specified?
oo Is the failure-rate (λ) specified?

79
9 - Proof-testing

80
 10 - Equipment selection

10 Equipment Selection

Topic

10.1

Overfill prevention system
10.1.1 Level sensors
Page

82
82

81
 10 - Equipment selection

10. Equipment be incomplete and are only intended to serve as one

of several inputs.
selection
10.1 Overfill prevention system
This chapter lists a number of relevant product
properties for the selection of equipment for overfill 10.1.1 Level sensors
prevention systems (OPS). The properties listed may

Instrument Data Sheet

Group Property Example value
Information related to this data Tank name TK102
sheet
Safety critical measurement Yes
SIF number TK102-ESD
SIF description Tank overfill prevention
Safety integrity level SIL 2
Service description Crude oil storage
Sensor HFT 1
General Tag number LT102b-SIS
Instrument type Level sensor
Safety marking Yellow tag
Safety Manual 123456789 rev A
Measurement Measurement type (continuous/ Continuous level
point)
Measurement technology Non-contacting radar
Measurement type (direct/ Direct level measurement
indirect)
Measurement affected by process No
conditions
Instrument Accuracy 3 mm (1/8")
Level range, min 0 m (0 ft)
Level range, max 30 m (98 ft and 5")
Response time 30 seconds
Max level rate 10 mm (3/8")/ second

82
 10 - Equipment selection

Reliability data 3rd party assessment Exida ROS 123456789 rev A

Systematic capability SIL 3
Random capability SIL 2
Failure rate data document 123456789 rev A
λsafe 1234 FIT
λDD 1234 FIT
λDU 1234 FIT
Mean time to fail (1/λ) 100 years
Mean time to repair 4 hours (typical value)
Common-cause factor (only b=1.4%
applicable if HFT>0)
Proof-test Proof-test document Safety manual
Coverage (% of λDU) 80%
Mean time for completion 15 minutes
Tools/Data required Secondary level measurement;
Ampere meter
Personnel safety concerns N/A
Process access required No
Process alteration required No
Miscellaneous Startup time 20 seconds
Replacement procedure See safety manual
Maintenance procedure See safety manual
Recommended spare-parts See safety manual
SAT procedure See safety manual

83
10 - Equipment selection

84
11 - Appendix: Overfill prevention systems examples

11 Appendix: Overfill
prevention system
examples

Topic

11.1




Bulk liquid storage
11.1. 1 Fixed roof tanks
11.1. 2 Floating roof tanks
11.1. 3 Spherical tanks
11.1. 4 Bullet tanks

11.2 Process vessels

Page

86
86
88
90
92

94
11.2. 1 Top mounted - OPS level sensor 94
11.2. 2 Chamber mounted - OPS level sensor 97
11.2. 3 Side mounted - OPS level sensor 99
11.2. 4 Separator tank 101
11.2. 5 Distillation column 102
11.2. 6 Boiler drum 103
11.2. 7 Reactor tank 104

85
 11 - Appendix: Overfill prevention systems examples

11. Appendix: Overfill prevention system

examples
11.1 Bulk liquid storage

11.1.1 Fixed roof tanks

Automatic Overfill Prevention System (AOPS) Automatic Tank Gauging (ATG)

Rosemount
Rosemount 2240S with Rosemount
5900S Radar Multiple Point 5900S Radar
Level Gauge Temperature Level Gauge

Independent Rosemount 2230

Alarm Panel Graphical Field
L3

Display
SI

High-High Alarm

Delta V
SIS

Smart
3

Rosemount 2410
L
SI

Wireless
Tank Hub
THUM™
Adapter
SIL-PAC
(Fisher DVC + Fisher Rosemount 2410
Bettis Actuator) Valve Tank Hub

SI
L3

1400 Smart
TankMaster Inventory Wireless Gateway
Management Software

Connection to
TankMaster Rosemount 2460
(optional) System Hub

Includes Visual & Audible Level Alert High

and Level Alarm High-High (optional)

Illustration shows a fixed roof tank equipped with Automatic Tank Gauging based on the Rosemount 5900S
and a SIL 3 AOPS based on the Rosemount 5900S, DeltaV SIS and a Bettis actuator.

86
 11 - Appendix: Overfill prevention systems examples
Below are alternative Rosemount level sensors for fixed roof tanks:

2
SI
L L2
SI

Rosemount Rosemount Rosemount Rosemount

2100 (AOPS, MOPS) 5900S 5300 (AOPS, MOPS) 5900S

L2
SI
L2
SI

Rosemount Rosemount Rosemount Rosemount

5400 (AOPS, MOPS) 5900S 5900C (AOPS, MOPS) 5900S
Overfill

Level

2
SIL
L2
SI
L3
SI

Rosemount Rosemount Rosemount

5900S (AOPS, MOPS) 5900S 5900S 2-in-1 (AOPS)

Rosemount Rosemount Rosemount Rosemount

2160 (MOPS) 5900S 3308 (MOPS) 5900S
87
 11 - Appendix: Overfill prevention systems examples

11.1.2 Floating roof tanks

Automatic Overfill Prevention System (AOPS) Automatic Tank Gauging (ATG)

Overfill

Level
Rosemount
2
SIL 2240S with
Multiple Point
Rosemount Rosemount 2230
Temperature
Independent 5900S 2-in-1 Graphical Field
Alarm Panel Radar Level Display
Gauge

High-High Alarm

Delta V
SIS
L3

Rosemount 2410
SI

Tank Hub Smart

Wireless
THUM™
SIL-PAC
Adapter
(Fisher DVC + Fisher
Bettis Actuator) Valve Rosemount 2410
Tank Hub
SI
L3

1400 Smart
TankMaster Inventory Wireless Gateway
Management Software

Connection to
TankMaster Rosemount 2460
(optional) System Hub

Includes Visual & Audible Level Alert High

and Level Alarm High-High (optional)

Illustration shows a floating roof tank equipped with Automatic Tank Gauging based on the Rosemount 5900S
and a SIL 3 AOPS based on the Rosemount 5900S, DeltaV SIS and a Bettis actuator.

88
 11 - Appendix: Overfill prevention systems examples

Below are alternative Rosemount level sensors for floating roof tanks:

L2
SI

Mobrey Rosemount Rosemount Rosemount

DS21D (MOPS) 5900S 5900S (AOPS, MOPS) 5900C
(pipe)

L2
SI

L3
SIL

SI
2

Rosemount Rosemount Rosemount Rosemount

5900S (AOPS, MOPS) 5900C 5900S (AOPS, MOPS) 5900S
(roof-plate) (pipe)
Overfill

Level

2
SIL
SIL
2
SI
L
3

Rosemount Rosemount Rosemount

5900S (AOPS, MOPS) 5900S 5900S 2-in-1 (AOPS, MOPS)
(roof-plate)

89
 11 - Appendix: Overfill prevention systems examples

11.1.3 Spherical tanks

Automatic Overfill Prevention System (AOPS) Automatic Tank Gauging (ATG)

Rosemount Rosemount
5900S Radar 5900S Radar
Level Gauge Level Gauge
Independent with Pressure with Pressure
Transmitter Transmitter Rosemount 2230
Alarm Panel Graphical Field
L3
SI Display

Rosemount 644
with Single Point
High-High Alarm
Temperature

Delta V
Verification
SIS
Pin

Rosemount 644
L3

Rosemount 2410 Fisher with Single Point

SI

Tank Hub Valve Temperature

SIL-PAC Rosemount 2410

(Fisher DVC + Tank Hub
Bettis Actuator)
Smart Wireless
THUM™ Adapter
SI
L3

1400 Smart
TankMaster Inventory Wireless Gateway
Management Software

Connection to
TankMaster Rosemount 2460
(optional) System Hub

Includes Visual & Audible Level Alert High

and Level Alarm High-High (optional)

Illustration shows a spherical tank equipped with Automatic Tank Gauging based on the Rosemount 5900S
and a SIL 3 AOPS based on the Rosemount 5900S, DeltaV SIS and a Bettis actuator.

90
 11 - Appendix: Overfill prevention systems examples

Below are alternative Rosemount level sensors for spherical tanks:

2
SIL

Rosemount Rosemount Rosemount Rosemount

5900S (AOPS, MOPS) 5900C 5900S (AOPS, MOPS) 5900S

Overfill

Level
2
SIL

Rosemount
5900S 2-in-1 (AOPS, MOPS)

91
 11 - Appendix: Overfill prevention systems examples

11.1.4 Bullet tanks

Automatic Overfill Prevention System (AOPS) Automatic Tank Gauging (ATG)

Independent

L3
Rosemount Rosemount 2230
SI
Alarm Panel Graphical Field
5900S Radar
Rosemount Display
5900S Radar Level Gauge
Level Gauge with Pressure
with Pressure Transmitter
High-High Alarm
Transmitter

Delta V
SIS Rosemount
644 with
Single Point
Temperature
L3

Rosemount 2410
SI

Tank Hub

Verification
SIL-PAC Pin Rosemount 2410
(Fisher DVC + Fisher
Tank Hub
Bettis Actuator) Valve
Smart Wireless
THUM™ Adapter
SI
L3

1400 Smart
TankMaster Inventory Wireless Gateway
Management Software

Connection to
TankMaster Rosemount 2460
(optional) System Hub

Includes Visual & Audible Level Alert High

and Level Alarm High-High (optional)

Illustration shows a bullet tank equipped with Automatic Tank Gauging based on the Rosemount 5900S and a
SIL 3 AOPS based on the Rosemount 5900S, DeltaV SIS and a Bettis actuator.

92
 11 - Appendix: Overfill prevention systems examples

Below are alternative Rosemount level sensors for bullet tanks:

2
SIL

Rosemount Rosemount Rosemount Rosemount

5300 (AOPS, MOPS) 5900S 3308 (MOPS) 5900S

2
SI
L L2
SI

L3
SI

Rosemount Rosemount Rosemount Rosemount

5900C (AOPS, MOPS) 5900S 5900S (AOPS, MOPS) 5900S
Overfill

Level

2
SIL

Rosemount
5900S 2-in-1 (AOPS, MOPS)

Additional bulk liquid storage tank examples is available in “The Complete Guide to API 2350”
(Ref.No. 901030)

93
 11 - Appendix: Overfill prevention systems examples

11.2 Process vessels

11.2.1 Top mounted OPS level sensor

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

SIL 2

Control/
Safety Logic Solver Monitoring System
HiHi
SIL 3 Hi

MWL

Audible Alarm Visual Alarm

3
SIL

ESD-Valve Pump

MaxWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows a cone tank equipped with a Rosemount 5400 for BPCS and SIL 2 AOPS based on Rosemount
5300, DeltaV SIS and Bettis actuator.

94
 11 - Appendix: Overfill prevention systems examples

Manual Overfill Prevention System (MOPS) Basic Process Control System (BPCS)

Control/
Monitoring System
HiHi

Hi
Audible Alarm Visual Alarm
MWL

MWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows a cone tank equipped with a Rosemount 5300 for BPCS and MOPS based on a Rosemount
2100.

95
 11 - Appendix: Overfill prevention systems examples

Below are alternative Rosemount level sensors top mounting:

SIL 2

Rosemount Rosemount Rosemount Rosemount

5400 (AOPS) 5300 5300 (AOPS) 5300

SIL 2

Rosemount Rosemount Rosemount Rosemount

2100 (AOPS) 5300 Wireless Vertical 5300
Float Switch 702 (MOPS)

Rosemount Rosemount Rosemount Rosemount

Wireless 3308 (MOPS) 5300 Wireless 2160 (MOPS) 5300

96
 11 - Appendix: Overfill prevention systems examples

11.2.2 Chamber mounted OPS level sensor

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

Safety Logic Solver

SIL 3

SIL 2
Control/
HiHi
Monitoring System
Hi

MWL

Audible Alarm Visual Alarm

ESD-Valve Pump

MWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows chamber installations. Rosemount 5300 is used for BPCS and SIL 2 AOPS are based on
Rosemount 5300, DeltaV SIS and Bettis actuator.

Below are alternative Rosemount level sensors for chamber installations:

Rosemount Rosemount
2100 column (MOPS) 5300

97
 11 - Appendix: Overfill prevention systems examples

Manual Overfill Prevention System (MOPS) Basic Process Control System (BPCS)

Control/
HiHi
Monitoring System
Hi
Audible Alarm Visual Alarm
MWL

MWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows a cone tank equipped with a Rosemount 5300 for BPCS and MOPS based on a
Rosemount 3308.

Below are alternative Rosemount level sensors for chamber installations:

Rosemount Rosemount
2160 column (MOPS) 5300

98
 11 - Appendix: Overfill prevention systems examples

11.2.3 Side mounted OPS level sensor

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

Control/
Monitoring System
HiHi

Hi
SIL 2

Safety Logic Solver

MWL

SIL 3

Audible Alarm Visual Alarm

3
SIL

ESD-Valve Pump
MWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows a tank side installation. Rosemount 5300 is used for BPCS and SIL 2 AOPS is based on
Rosemount 2100, DeltaV SIS and Bettis actuator.

99
 11 - Appendix: Overfill prevention systems examples

Manual Overfill Prevention System (MOPS) Basic Process Control System (BPCS)

Control/
Monitoring System
HiHi

Hi

MWL

Audible Alarm Visual Alarm

MWL - Maximum Work Level Hi - High Level HiHi - High High Level

Illustration shows a tank side installation. Rosemount 5300 for BPCS and MOPS based on a wireless Rosemount
vertical float switch 702.
Below is an alternative Rosemount level sensor for side mounting:

Rosemount Rosemount
2160 (MOPS) 5300

100
 11 - Appendix: Overfill prevention systems examples

11.2.3 Separator tank

The separator tank is a vessel that allows fluids to
separate into different components.

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)
Safety Logic Solver Control/
Monitoring System
SIL 3

Audible Visual
Alarm Alarm

3
SIL
ESD-Valve Pump
SIL
2

SIL
2

Illustration shows a separator tank equipped BPCS with two Rosemount 5300 for level and interface
measurement and SIL2 AOPS and SIL2 dry-run protection based on Rosemount 2100, DeltaV SIS and
Bettis actuator.

101
 11 - Appendix: Overfill prevention systems examples

11.2.4 Distillation Column rise through the column, different components will
condense at different temperatures and accumulate
Distillation columns allow separation of fluid for withdrawal.
mixtures based upon their boiling points. As vapors

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

Safety Logic Solver

Control/
Monitoring System
SIL 3
SIL 2

SIL 2

SIL 2

Audible Alarm Visual Alarm

3
SIL SIL 2

ESD-Valve Pump

SIL 2

Illustration shows a distillation column equipped with a BPCS with a Rosemount 5300 for level measurement
and SIL2 AOPS based on Rosemount 5300, DeltaV SIS and Bettis actuator.

102
 11 - Appendix: Overfill prevention systems examples

11.2.5 Boiler drum

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)
Safety Logic Solver
Control/
SIL 3 Monitoring System

SIL 2 SIL 2 SIL 2

Audible Visual
Alarm Alarm

3
SIL
ESD-Valve Pump

Illustration shows a boiler drum equipped with a BPCS with a Rosemount 5300 for level measurement and SIL3
AOPS based on three Rosemount 5300 (2oo3), DeltaV SIS and Bettis actuator.

103
 11 - Appendix: Overfill prevention systems examples

11.2.6 Blending tank

Blending tanks are used for mixing fluids or solids
into fluids, usually at ambient conditions. Level
measurements are to monitor fluid additions.

Automatic Overfill Prevention System (AOPS) Basic Process Control System (BPCS)

Control/
Safety Logic Solver
Monitoring System

SIL 3

SIL 2

Audible Visual
Alarm Alarm

3
SIL
ESD-Valve Pump

Illustration shows a blending tank equipped with a BPCS of Rosemount differential pressure level measurement
gauge and SIL2 AOPS based on the Rosemount 5400, DeltaV SIS and Bettis actuctor.

104
 12 - References

12 References

Topic

12.1
12.2
Literature references
Picture references
Page

106
106

105
 12 - References

12. References
12.1 Literature references

American Petroleum Institute (2012) API 2350. Overfill Protection for Storage Tanks in Petroleum Facilities,
Fourth edition
Central Intelligence Agency (2015) The World Factbook, https://www.cia.gov/library/publications/the-world-
factbook/rankorder/2246rank.html 2015-09-04
Center for Chemical Process Safety (2007) Guidelines for Risk Based Process Safety, Wiley
Control of Major Accident Hazards (2011) Buncefield: Why did it happened? http://www.hse.gov.uk/comah/
buncefield/buncefield-report.pdf 2015-09-03
Felten, D., (2015) When Prevention Fails: Managing Your Spill Response, NISTM 17th Annual International
Aboveground Storage Tank Conference & Trade Show, Florida
Goble, W., (2013) Make the IEC 61511 into a cookbook? http://www.exida.com/Blog/Make-IEC-61511-into-a-
Cookbook#sthash.oqiYamB1.dpuf 2015-07-21
International Electrotechnical Commission () IEC 61511 Functional safety - Safety instrumented systems for
the process industry sector
International Electrotechnical Commission (2010) IEC 61508 Functional Safety of Electrical/Electronic/
Programmable Electronic Safety-related Systems
Loren (2005) BP reveals costs of Texas City settlements, http://blog.chron.com/lorensteffy/2005/07/bp-
reveals-costs-of-texas-city-settlements/ 15-07-17
Marsh & McLennan Companies (2011) Management of Atmospheric Storage Tank, Rev 01, United Kingdom
Mars (2007) Recommendations on the design and operation of fuel storage sites, Buncefield Major Incident
Investigation Board
M B Lal Committee Report (2009) Independent Inquiry Committee Report on Indian Oil Terminal Fire at Jaipur
http://oisd.gov.in/ 2015-09-04
Puerto Rico Seismic Network (2009) Informe Especial, Explosión de Caribbean Petroleum en Bayamón,
University of Puerto Rico Mayagüez Campus.
Sreenevasan, R., (2015) The effect of regulations in improving process safety, Tetra Tech Proteus, https://
www.engineersaustralia.org.au/sites/default/files/shado/Learned%20Groups/Technical%20Societies/Risk%20
Engineering%20Society/australian_regulations_res_wa_paper.pdf 2015-07-21
United States Environmental Protection Agency (2014) Response to Oil Spills, http://www.epa.gov/ceppo/
web/content/learning/response.htm 2015-07-14
U.S. Chemical Safety and Hazard Investigation Board (2015) FINAL INVESTIGATION REPORT
CARIBBEAN PETROLEUM TANK TERMINAL EXPLOSION AND MULTIPLE TANK FIRES http://www.csb.gov/
assets/1/16/06.09.2015_FINAL_CAPECO_Draft_Report__for_Board_Vote.pdf 2015-09-03

12.2 Picture references

In order of appearance:
Picture 1.1: https://commons.wikimedia.org/wiki/File:Buncefield2.jpg 2015-07-20

106
 12 - References

Picture 1.2: By Andrea Booher https://commons.wikimedia.org/wiki/File:FEMA_-_7429_-_Photograph_by_

Andrea_Booher_taken_on_12-20-2002_in_Guam.jpg 2015-07-20
Picture 2.1: By Enriquillonyc https://commons.wikimedia.org/wiki/File:2009_Catano_refinery_explosion.jpg
2015-07-20
Picture 2.2: Copyright Emerson
Picture 2.3: https://commons.wikimedia.org/wiki/File:Buncefield.jpg 2015-07-20
Picture 2.4: https://commons.wikimedia.org/wiki/File:Caribbean_Petroleum_Corporation_Disaster.jpg 2015-
07-20
Picture 2.5: https://commons.wikimedia.org/wiki/File:Va._Guard_personnel_assist_W.Va._water_collection_
operations_140119-Z-BN267-003.jpg 2015-07-20
Picture 2.6: https://pixabay.com/sv/photos/water%20tank/ 2015-07-16
Picture 2.7: https://commons.wikimedia.org/wiki/File:BP_PLANT_EXPLOSION-1_lowres2.jpg 2015-07-20
Picture 2.8: By Jonas Jordan, United States Army Corps of Engineers [Public domain], via Wikimedia Commons
http://www.hq.usace.army.mil/history/Kuwait_burn_oilfield.jpg
Picture 3.1: Copyright Emerson
Picture 3.2: Copyright Emerson
Picture 3.3: Copyright Emerson
Picture 3.4: Copyright Emerson
Picture 9.1: “Anacortes Refinery 32017” by Walter Siegmund (talk) - Own work. Licensed under CC BY
2.5 via Commons - https://commons.wikimedia.org/wiki/File:Anacortes_Refinery_32017.JPG#/media/
File:Anacortes_Refinery_32017.JPG

107
12 - References

108
 About the authors
Lead author
Carl-Johan Roos, Functional Safety Officer, Emerson Process
Management, Rosemount Level
Carl-Johan “CJ” Roos has 10+ years of global experience from various
technical and managerial positions in the process industry. Besides
API2350, he has actively participated in numerous product specific
IEC61508 certifications and site specific IEC61511 related projects,
besides his usual work as functional safety officer at Emerson’s Process
Level division where he often addresses national overfill prevention
regulations such as TÜV/DIBt WHG in Germany. In 2015, he was awarded
with Process Control Magazine’s award “Engineering Leaders Under
40”. Roos has a Master’s degree in Electrical and Computer Engineering
from Georgia Tech and Chalmers University, and a Master’s of Business
Administration degree from the University of Gothenburg.

Co-author
Phil E. Myers, API 2350 Committee Chairman
Phil E. Myers has chaired numerous task groups for the American
Petroleum Institute, including API 2350. Currently, he is the director of
PEMY Consulting. He has also worked at Chevron Corporation where
he was a mechanical integrity specialist for tanks, piping and pressure
vessels specializing in safety and risk. Myers holds a BSc in Chemical
Engineering from UC Berkeley and an MSc in Theoretical and Applied
Statistics from California State University.

Acknowledgements
This handbook is the result of a joint effort of Emerson colleagues and customers around the world.
Thanks to all of the Emerson functional safety experts who gave their input to this project, and laid the
foundation of the content.
Thank you also to Patricia Mattsson and Martin Larsson for developing the outstanding visuals and layout to
enhance the user experience of this handbook. A special thanks also goes out to Peta Glenister for her editing
and valuable comments.
Finally, thanks to all of the unnamed contributors and all of the Rosemount Level users out there!
Rosemount products for overfill prevention
Process Industry
Automatic Overfill Prevention System Basic Process Control Manual Overfill Prevention System
System
2100
5300
5400 5400
5300 Wireless
Mobrey Float
2100 Switches

Safety Logic Solver

SIL 3

Control/
Monitoring System

Audible
Alarm
Visual
Alarm

3
SIL

ESD-Valve
Pump SIL 2 SIL 2

Bulk Liquid Industry

Automatic Overfill Prevention System Basic Process Control Manual Overfill Prevention System
System 2-in-1
2-in-1
5900S
5900S 5900C
5900C 5400
5400 SIL 2 SIL 2 5300
2100
5300 Mobrey Floa ng
Roof switch
2100 Wireless
SIL

Safety Logic Solver

3

SIL 3

Control/
Monitoring System

Audible
Alarm
Visual
Alarm

3
SIL

ESD-Valve
Pump SIL 2 SIL 2
 Introduction

Why invest?

Key elements

Regulatory requirements

Industry standards

Risk assessment

Overfill management system

Overfill prevention system

Proof-testing

Equipment selection

Appendix: Overfill prevention

systems examples

References
Global capabilities
Global Headquarters Europe Regional Office
Emerson Process Management Emerson Process Management Europe GmbH
6021 Innovation Blvd. Neuhofstrasse 19a P.O. Box 1046
Shakopee, MN 55379, USA CH 6340 Baar
+1 800 999 9307 or +1 952 906 8888 Switzerland
+1 952 949 7001 +41 (0) 41 768 6111
RFQ.RMD-RCC@EmersonProcess.com +41 (0) 41 768 6300
RFQ.RMD-RCC@EmersonProcess.com

North America Regional Office Latin America Regional Office

Emerson Process Management Emerson Process Management
8200 Market Blvd. 1300 Concord Terrace, Suite 400
Chanhassen, MN 55317, USA Sunrise, Florida, 33323, USA
+1 800 999 9307 or +1 952 906 8888 +1 954 846 5030
+1 952 949 7001 +1 954 846 5121
RMT-NA.RCCRFQ@Emerson.com RFQ.RMD-RCC@EmersonProcess.com

Asia Pacific Regional Office Middle East and Africa Regional Office
Emerson Process Management Asia Pacific Pte Ltd Emerson Process Management
1 Pandan Crescent Emerson FZE P.O. Box 17033,
Singapore 128461 Jebel Ali Free Zone - South 2
+65 6777 8211 Dubai, United Arab Emirates
+65 6777 0947 +971 4 8118100
Enquiries@AP.EmersonProcess.com +971 4 8865465
RFQ.RMTMEA@Emerson.com

www.rosemount.com

Recommended retail price $75.99

Standard Terms and Conditions of Sale can be found at:

www.rosemount.com\terms_of_sale.
The Emerson logo is a trademark and service mark of Emerson Electric Co.
Rosemount and Rosemount logotype are registered trademarks of Rosemount Inc.
All other marks are the property of their respective owners.
© 2015 Emerson Process Management. All rights reserved.

ISBN 9789198277906
57599 >

9 789198 277906

Literature reference number: 00805-0100-1042 Rev. AA